For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Svevak_211593's avatar
Svevak_211593
Icon for Nimbostratus rankNimbostratus
Feb 25, 2016

whitelist + geoblocking in iRule

Hi,

the problem is I would like to allow some countries and some IPs from not allowed countries to get access.

I'm not quite sure why this won't work:

when CLIENT_ACCEPTED {
        switch[ whereis [IP::client_addr] country ] {
            "DE" { set allowed 1 }
            "AT" { set allowed 1 }
            "CH" { set allowed 1 }
            "LI" { set allowed 1 }
            "LU" { set allowed 1 }
                default { set allowed 0 }
        }
                elseif {
                        if {
                          [matchclass [IP::client_addr] equals datagroup whitelistIP ] } {
                          pool datagroup-whitelistIP
                          }   
        else {
            reject
        }
    }

Can anybody help me?

devops
iRules
security

1 Reply

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 25, 2016

    Hi

    you may try the iRule below as a starting point...

    when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals whitelistIP] } then {
        pool insert_your_pool_name
    } else {
        switch -exact -- [whereis [IP::client_addr] country] {
            "DE" -
            "AT" -
            "CH" -
            "LI" -
            "LU" { 
                pool insert_your_pool_name
            }
            default { 
                reject
            }
        }
    }
}

    Note: Reordered the 

    [if]
    and 
    [switch]
    nestings, optimized the 
    [switch]
    command and finally changed the 
    [matchclass]
    (is a deprecated command) to become 
    [class match]
    .

    Cheers, Kai