Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

F5 iRule Geolocation restriction

Go to solution
AbdullahAlshehri
Altostratus
Altostratus

‎26-Apr-2022 11:49

Hello,

I want to know how I can restrict the access to specific one country only via iRule.

For example: allow only users to access from "US" and block all other countries.

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
David_Gill
Cirrus
Cirrus

‎28-Apr-2022 10:49 

when FLOW_INIT {

    #
    # Drop everything except US
    #
    if { ! ([whereis [IP::client_addr] country] equals "US") } {
        log -noname local0. "Dropping connection from [IP::client_addr]/[whereis [IP::client_addr] state country continent ]"
        drop
    } 
}

AFM not required.

View solution in original post

0 Kudos
6 REPLIES 6

Go to solution
David_S_
Nimbostratus
Nimbostratus

‎26-Apr-2022 18:19

I would make sure the LTM is updated with the latest GeoLocationUpdates from F5. Otherwise you will likely block valid US addresses.

Here is one very simple way to do this:

#
# Block_non_US_IP
#
# iRule to drop traffic that is not from US addresses
#
when CLIENT_ACCEPTED {
if { not [whereis [IP::client_addr] continent country] == "NA US" } {
log local0. "Connection from [IP::client_addr] [whereis [IP::client_addr] continent country] to [virtual name] [IP::local_addr] : Blocked."
drop
}
}

0 Kudos

Go to solution
AbdullahAlshehri
Altostratus
Altostratus
In response to David_S_

‎26-Apr-2022 18:59

Hello David,

Thank you for your reply. 

Just to clarify more, I'am using F5 DNS/LTM and I will apply the iRule on the VS.

Also, I prefer to block the traffic when TCP-SYN or UDP packet come from non-US country. I got iRule from clouddocs.f5 that may will work

when FLOW_INIT {

set ipaddr [IP::client_addr]

set locale [whereis $ipaddr country]

log local0. "IP Address/Counry $ipaddr/$locale"

switch $locale {

"US" { return }

default { ACL::action drop }

}

}

0 Kudos

Go to solution
David_S_
Nimbostratus
Nimbostratus

‎26-Apr-2022 19:25

That iRule might need AFM license.

0 Kudos

Go to solution
David_Gill
Cirrus
Cirrus

‎28-Apr-2022 10:49 

when FLOW_INIT {

    #
    # Drop everything except US
    #
    if { ! ([whereis [IP::client_addr] country] equals "US") } {
        log -noname local0. "Dropping connection from [IP::client_addr]/[whereis [IP::client_addr] state country continent ]"
        drop
    } 
}

AFM not required.

0 Kudos

Go to solution
AbdullahAlshehri
Altostratus
Altostratus
In response to David_Gill

‎28-Apr-2022 19:38

Hello  David_Gill,

I tested the iRule which I mentioned early and it worked fine.

Is there any difference with the one which you mentioned?

 

0 Kudos

Go to solution
David_Gill
Cirrus
Cirrus
In response to AbdullahAlshehri

‎29-Apr-2022 03:47

Functionally they do the same thing however ACL::action drop requires AFM whereas drop on its own does not which means the snippet works for a larger audience. Switch is generally used when making more than one comparison (as shown at https://clouddocs.f5.com/api/irules/ACL__action.html) which is why I used a single if statement. There is no need to define any variables either. That said, in both cases the end result is the same.

Copyright © 2023 Khoros, LLC