ant77
Mar 01, 2024Cirrostratus
iRule - Using GeoIP to block/allow externally, and allow internal 10.0.0.0/8 subnets.
when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] equals allowed_internal_subnets] } {
log local0. "Internal Clients allowed: \ [IP::client_addr]"
pool MY_POOL
}
}
when FLOW_INIT {
set ipaddr [IP::client_addr]
set fromCountry [whereis $ipaddr country]
if {! [class match $fromCountry equals allowed_geoip_datagroup]}{
drop
}
}
ltm data-group internal allowed_internal_subnets]{
records {
10.0.0.0/8 { }
}
type ip
}
ltm data-group internal allowed_geoip_datagroup {
records {
EU { }
US { }
}
type string
}
Hi everyone!
Need some help here from all the smart people on this forum. We are trying to create an Irule to block
all countries not in the data group using the BigIP GeoIP database and lookup...however, we still have users within the 10.0.0.0/8 internal subnets needing to connect. When they connect to the VIP, their source address is in the 10.0.0.0/8 range, however, they get dropped by the FLOW_INT match for some reason....what am I doing wrong and how do I fix this?
Here is what it should happen....
- All external internet users coming from US/EU (using the bigip geoip lookup database) should be allowed, otherwise all countries not matching this should be dropped...this seems to be working..
- All internal users coming from the 10.0.0.0/8 or RFC 1918 should be allowed and not dropped.
- How do I add both logic together in one flow?
This irule is dropping the internal users for some reason...how do we allow all internal users in also, while dropping external users not matching the GeoIP logic?
Thanks again...