cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

F5 iRule Geolocation restriction

AbdullahAlshehri
Altostratus
Altostratus

Hello,

I want to know how I can restrict the access to specific one country only via iRule.

For example: allow only users to access from "US" and block all other countries.

1 ACCEPTED SOLUTION

David_Gill
Cirrus
Cirrus
when FLOW_INIT {

    #
    # Drop everything except US
    #
    if { ! ([whereis [IP::client_addr] country] equals "US") } {
        log -noname local0. "Dropping connection from [IP::client_addr]/[whereis [IP::client_addr] state country continent ]"
        drop
    } 
}

AFM not required.

View solution in original post

6 REPLIES 6

David_S_
Nimbostratus
Nimbostratus

I would make sure the LTM is updated with the latest GeoLocationUpdates from F5. Otherwise you will likely block valid US addresses.

Here is one very simple way to do this:

#
# Block_non_US_IP
#
# iRule to drop traffic that is not from US addresses
#
when CLIENT_ACCEPTED {
if { not [whereis [IP::client_addr] continent country] == "NA US" } {
log local0. "Connection from [IP::client_addr] [whereis [IP::client_addr] continent country] to [virtual name] [IP::local_addr] : Blocked."
drop
}
}

Hello David,

Thank you for your reply. 

Just to clarify more, I'am using F5 DNS/LTM and I will apply the iRule on the VS.

Also, I prefer to block the traffic when TCP-SYN or UDP packet come from non-US country. I got iRule from clouddocs.f5 that may will work

when FLOW_INIT {

set ipaddr [IP::client_addr]

set locale [whereis $ipaddr country]

log local0. "IP Address/Counry $ipaddr/$locale"

switch $locale {

"US" { return }

default { ACL::action drop }

}

}

David_S_
Nimbostratus
Nimbostratus

That iRule might need AFM license.

David_Gill
Cirrus
Cirrus
when FLOW_INIT {

    #
    # Drop everything except US
    #
    if { ! ([whereis [IP::client_addr] country] equals "US") } {
        log -noname local0. "Dropping connection from [IP::client_addr]/[whereis [IP::client_addr] state country continent ]"
        drop
    } 
}

AFM not required.

Hello  David_Gill,

I tested the iRule which I mentioned early and it worked fine.

Is there any difference with the one which you mentioned?

 

Functionally they do the same thing however ACL::action drop requires AFM whereas drop on its own does not which means the snippet works for a larger audience. Switch is generally used when making more than one comparison (as shown at https://clouddocs.f5.com/api/irules/ACL__action.html) which is why I used a single if statement. There is no need to define any variables either. That said, in both cases the end result is the same.