Forum Discussion

ant77's avatar
ant77
Icon for Cirrostratus rankCirrostratus
Mar 01, 2024

iRule - Using GeoIP to block/allow externally, and allow internal 10.0.0.0/8 subnets.

when CLIENT_ACCEPTED {
if { [class match [IP::client_addr] equals allowed_internal_subnets] } {
        log local0. "Internal Clients allowed: \ [IP::client_addr]" 
  pool MY_POOL
  }
}

when FLOW_INIT {
    set ipaddr [IP::client_addr]
    set fromCountry [whereis $ipaddr country]
    if {! [class match $fromCountry equals allowed_geoip_datagroup]}{
    drop
   }
  }


ltm data-group internal allowed_internal_subnets]{
    records {
        10.0.0.0/8 { }
    }
    type ip
}


ltm data-group internal allowed_geoip_datagroup {
    records {
        EU { }
        US { }
    }
    type string
}

Hi everyone! 

Need some help here from all the smart people on this forum. We are trying to create an Irule to block 

all countries not in the data group using the BigIP GeoIP database and lookup...however, we still have users within the 10.0.0.0/8 internal subnets needing to connect. When they connect to the VIP, their source address is in the 10.0.0.0/8 range, however, they get dropped by the FLOW_INT match for some reason....what am I doing wrong and how do I fix this?

Here is what it should happen....

 

  1. All external internet users coming from US/EU (using the bigip geoip lookup database) should be allowed, otherwise all countries not matching this should be dropped...this seems to be working..
  2.  All internal users coming from the 10.0.0.0/8 or RFC 1918 should be allowed and not dropped.
  3. How do I add both logic together in one flow?

This irule is dropping the internal users for some reason...how do we allow all internal users in also, while dropping external users not matching the GeoIP logic? 

 

Thanks again...

 

 

 

application delivery
devops
irule
security

4 Replies

Sort By
  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Mar 02, 2024

    This should work.

     

    when CLIENT_ACCEPTED {
    if { [class match [IP::client_addr] equals allowed_internal_subnets] } {
        log local0. "Internal Clients allowed: \ [IP::client_addr]" 
        pool MY_POOL
    }
}

when FLOW_INIT {
    set ipaddr [IP::client_addr]
    set fromCountry [whereis $ipaddr country]
    if {! [class match $fromCountry equals allowed_geoip_datagroup] && ! [class match [IP::client_addr] equals allowed_internal_subnets]}{
        drop
    }
}
    • ant77's avatar
      ant77
      Icon for Cirrostratus rankCirrostratus
      Mar 02, 2024
      when FLOW_INIT {
    set ipaddr [IP::client_addr]
    set fromCountry [whereis $ipaddr country]
    if {! [class match $fromCountry equals allowed_geoip_datagroup] && ! [class match [IP::client_addr] equals allowed_internal_subnets]}{
        drop
    }
}

      Hi Niels,

      Thanks for you reply...I was wondering if I can use use this event statement instead of the  "CLIENT_ACCEPTED" because this will be

      tied to multiple VIPs.  We just want to allow the internal subnets, but not allow any external client's that does not meet where they are coming from, i.e....country code (US and EU)... Would using just the FLOW_INIT work?

       

      • Niels_van_Sluis's avatar
        Niels_van_Sluis
        Icon for MVP rankMVP
        Mar 02, 2024

        Hi,

        Yes, for restricting access, the FLOW_INIT event would be sufficient. The CLIENT_ACCEPT event in your case does something extra. It assigns a specific pool for internal users. So it's possible to create a general irule containing the FLOW_INIT event for use on multiple virtual servers and an extra iRule holding the CLIENT_ACCEPTED event for the virtual server that needs it.