Forum Discussion

mbamusa_59409's avatar
mbamusa_59409
Icon for Nimbostratus rankNimbostratus
Oct 16, 2012

Geolocation Irule

Hi All ;

 

i have the following irule :

 

 

when CLIENT_ACCEPTED {

 

if {[ whereis [IP::client_addr] country] eq US ] or [IP::addr [IP::client_addr] equals 10.7.10.1]}

 

{

 

set allowed 1

 

}

 

else { set allowed 0 }

 

}

 

when HTTP_REQUEST {

 

if { $allowed eq 1 } {

 

Uncomment the line below to turn on logging.

 

log local0. "Valid client IP: [IP::client_addr]"

 

}

 

else {

 

HTTP::respond 403 content "Not Allowed"}

 

}

 

 

but after applying it it seems that it accept the second portion (IP::client_addr] eq 1.1.1.34) and not Accept the first one (Country) .

 

 

could you please help me on this and also itf there is a way to create a data group for countries ?

 

 

Thank you

 

 

 

 

application delivery
dev
devops
iRules

13 Replies

Sort By
  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 16, 2012

    This line needs some rounded brackets;

     

     

    if { (([ whereis [IP::client_addr] country] eq US ]) or ([IP::addr [IP::client_addr] equals 10.7.10.1])) }

     

    And yes, you could create and reference a data group for countries. If there are only a few a switch statement might be better;

     

    https://devcentral.f5.com/Tutorials...-v101.aspx

     

  • mbamusa_59409's avatar
    mbamusa_59409
    Icon for Nimbostratus rankNimbostratus
    Oct 16, 2012
    thank you Steve for your kind reply .

     

     

    can you write an example for countries datagroup ,Please as i couldn't understand it from provided link .

     

     

    your kind support is highly appreciated .

     

     

    M. Bamusa

     

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Oct 16, 2012
    You're welcome. I'd write an example but I'm just waiting for member nitass to jump in and do a better job than me ;-)
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 16, 2012
    e.g. 

    root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when CLIENT_ACCEPTED {
   set allowed 0
   if { [class match -- [whereis [IP::client_addr] country] equals country_list] or \
        [IP::addr [IP::client_addr] equals 10.7.10.1] } {
      set allowed 1
   }
}

when HTTP_REQUEST {
   if { $allowed } {
       do something
   } else {
       do something
   }
}
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm data-group internal country_list
ltm data-group internal country_list {
    records {
        SG { }
        US { }
    }
    type string
}
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Oct 16, 2012
    Nice example Nitass. Also, if you're using just one country, I think you need to put it in quotes:

     

     

    {[whereis [IP::client_addr] country] eq "US"]

     

     

    Aaron
  • mbamusa_59409's avatar
    mbamusa_59409
    Icon for Nimbostratus rankNimbostratus
    Oct 16, 2012
    thank you guys for your kind inputs ,i'll try to test it tomorrow and get back with the result .

     

     

    regards

     

    M. Bamusa
  • mbamusa_59409's avatar
    mbamusa_59409
    Icon for Nimbostratus rankNimbostratus
    Oct 17, 2012

    Hi Guys ,

     

    the following irule works fine :

     

    when CLIENT_ACCEPTED {

     

    set allowed 0

     

    if { [ class match -- [whereis [IP::client_addr] country] eq Allowed_list] or [ IP::addr [IP::client_addr] equals 10.7.10.1 ] } {

     

    set allowed 1 }

     

    }

     

    when HTTP_REQUEST {

     

    if { $allowed == 0 } {

     

    HTTP::respond 403 content "Blocked!"}

     

    }

     

    i appreciate your kind support .

     

    Regards

     

    M. Bamusa

     

    • Naumin_Dave_144's avatar
      Naumin_Dave_144
      Icon for Nimbostratus rankNimbostratus
      Sep 02, 2015
      Hi Bamusa, I am trying to achieve something like this only. I have one quarry for you. Can you just tell me for above Irule, how can we add country in "Allowed_list" data group? My requirement is I want to publish one application over internet for India Users only.
  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus
    Sep 02, 2015

    If the only condition you're checking for is "India" it would be better to not use a data class due to the overhead.

    when CLIENT_ACCEPTED {

    set allowed 0

    if {  [whereis [IP::client_addr] country] eq "IN" } {

        set allowed 1 

    }

}

when HTTP_REQUEST {

    if { $allowed == 0 } {

        HTTP::respond 403 content "Blocked!"

    }

}
  • Naumin_Dave_144's avatar
    Naumin_Dave_144
    Icon for Nimbostratus rankNimbostratus
    Sep 03, 2015

    Hi Arie,

     

    I tested this Irule as well. But it is exactly doing opposite of my requirement. Meaning For India Users, It is not opening and sending page with "Blocked!" and for other country users page is opening.. I am working on it but need your help too for doing same.

     

    • Stanislas_Piro2's avatar
      Stanislas_Piro2
      Icon for Cumulonimbus rankCumulonimbus
      Sep 03, 2015
      I confirm this irule allow only from India... Perhaps, the public IP you are using is not assigned to India. Check the localisation database on your F5 with the command: geoip_lookup [your Public IP]
    • Naumin_Dave_144's avatar
      Naumin_Dave_144
      Icon for Nimbostratus rankNimbostratus
      Sep 03, 2015
      Thanks for your Instant reply... I have already checked location issue. I have two M/C. 1 with DNS address 4.2.2.2 and another with DNS address 121.242.190.211. [root@ltm:Active:Standalone] config geoip_lookup 121.242.190.211 Will attempt to lookup ip '121.242.190.211' No database specified. opening database in /shared/GeoIP/F5GeoIP.dat size of geoip database = 73530756, segments = 16252928, version = GEO-148 20150806 Build 1 Copyright (c) F5 Networks Inc All Rights Reserved geoip_seek = 00f8da67 geoip record ip = 121.242.190.211 country_code = IN country_name = India region_name = Maharashtra continent_code = AS [root@ltm:Active:Standalone] config geoip_lookup 4.2.2.2 Will attempt to lookup ip '4.2.2.2' No database specified. opening database in /shared/GeoIP/F5GeoIP.dat size of geoip database = 73530756, segments = 16252928, version = GEO-148 20150806 Build 1 Copyright (c) F5 Networks Inc All Rights Reserved geoip_seek = 00fb6de1 geoip record ip = 4.2.2.2 country_code = US country_name = United States region_name = Colorado continent_code = NA