Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

Help tweaking my iRule

Go to solution
jlb4350
Altocumulus
Altocumulus

‎19-Jul-2022 05:28

Hello all. I have an oubound virtual server that allows all traffic and protocols to any address, it's a wildcard outbound. I'm wanting to use an iRule to block outbound connections to Russia using data referenced in a data group. I created the following data group and iRule, but it ended up blocking everything when I attached it to my wildcard outbound VS. Are there any iRule gurus could can help me tweak this? Any help is much appreciated!

Data group:
datagroup.png

iRule:
russiablockirule.png

Labels:
0 Kudos
1 ACCEPTED SOLUTION

Go to solution
David_Larsen
F5 Employee
F5 Employee
In response to jlb4350

‎19-Jul-2022 07:19

The iRule is slightly wrong in that it is trying to pull out a value of RU and then matching the IP address to the value which would never happen.  I would use the framework set in the support article and do something like this:

when SERVER_CONNECTED {
    set ipaddr [IP::remote_addr]
    set fromCountry [whereis $ipaddr country]
    if { [class match $fromCountry equals GeoIPOutboundBlockRussia] } {
         log local0. "Attacker IP [IP::client_addr]"  ;#  This can be removed/commented out if not required
         drop
    }
}

 

View solution in original post

6 REPLIES 6

Go to solution
David_Larsen
F5 Employee
F5 Employee

‎19-Jul-2022 06:43

You are running into a formatting issue with your datagroup.  The datagroup String should be RU and no value necessary.  This is a good reference: https://support.f5.com/csp/article/K43383890

 

 

Go to solution
jlb4350
Altocumulus
Altocumulus
In response to David_Larsen

‎19-Jul-2022 06:59 - edited ‎19-Jul-2022 07:06

Interesting. So I should just put RU in the string field and nothing in the value field, and that will be my string record, like this:
RU.png

How about the iRule, does that part look alright?

Thank you for your reply and help!

0 Kudos

Go to solution
David_Larsen
F5 Employee
F5 Employee
In response to jlb4350

‎19-Jul-2022 07:19

The iRule is slightly wrong in that it is trying to pull out a value of RU and then matching the IP address to the value which would never happen.  I would use the framework set in the support article and do something like this:

when SERVER_CONNECTED {
    set ipaddr [IP::remote_addr]
    set fromCountry [whereis $ipaddr country]
    if { [class match $fromCountry equals GeoIPOutboundBlockRussia] } {
         log local0. "Attacker IP [IP::client_addr]"  ;#  This can be removed/commented out if not required
         drop
    }
}

 

Go to solution
jlb4350
Altocumulus
Altocumulus

‎19-Jul-2022 07:28

Perfect, I'll give that a try and see what happens tonight. I'll report back, thank you again for your help!

0 Kudos

Go to solution
kbk491
Altostratus
Altostratus
In response to jlb4350

‎22-Jul-2022 07:20

did it work? just curious

0 Kudos

Go to solution
jlb4350
Altocumulus
Altocumulus

‎29-Jul-2022 06:21

Sorry for the late reply, I've been traveling.

I ended up piecing together a few iRules that I found to come up with this and it works perfectly. I may tweak it in the future, but this is working. It involves the countries to block access to in a data group and the iRule to reference that group:

blacklist.pngblockoutbound.png

Copyright © 2023 Khoros, LLC