WirelessPhreak.com

I like to travel, f*ck with technology, and partake in the occasional tropical drink.
I am also a co-host on The NBD Show podcast.
Follow Me

Version 2 GeoIP and Network whitelisting iRule.  

Implementing version 1 of the iRule has highlighted a few short comings.  In version 2 I have added a stop gap measures to manually add IP space to an additional data group.  This allows time for F5's Geo-IP database update process and your companies change managment.

Prior to the deployment of version 1 we identified issues with RFC1918 IP space.  Because private IP space is not defined in the Geo-IP database the version 1 irule blocked server to virtual server communication if sourced from a private IP.  

The second short coming is frequency of Geo-IP database updates.  F5 is timely with their  Geo-IP database updates, but unless your running their Application Firewall Module updating is still a manual process. IP space is being reallocated on a daily basis which means you will always be playing catchup.  This is why I added the manual network data group.  This group can be used as a stop gap as well as letting you add any private IP space you may want to add.

Here is the rule:
# Geo-IP_Network_Whitelist_acl_rule
#
# v2.0 - May 9 2014
#
# BIG-IP versions 11.x (tested on 11.3.8)
#
# Purpose:
#   This rule should be added to a network virtual server to catch all requests
#   which  don't match an allowed GeoIP country code or IP network/host.  This
#   creates a white list of networks and hosts that are allowed to connect to
#   the virtual server. By default, log entries are written to /var/log/ltm.
#
#   The rule expects the following two data groups to define which allowed country
#   codes (example: ca, us), or defined allowed networks (example: 10.0.0.0/8)
#   are allowed to connect to the virtual server.
#
#   Clients that match on either the Network or GeoIP data group will be allowed
#   to connect to the default pool. Clients that do not match will be rejected and
#   see a web page not available.
#
#   The data group names should be:
#
#   geo_allowed_country (string Data Group List)
#   geo_allowed_network (network Data Group List)
#
#
#
#
# This event is triggered when a client - BIG-IP TCP connection is established
when CLIENT_ACCEPTED {
 if { [class match [whereis [IP::client_addr] country] equals geo_allowed_country] } {
    # do nothing
         log local0. "Geo-IP Code accepted from client: \
         [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
 } elseif { [class match [IP::client_addr] equals geo_allowed_network] } {
    # do nothing
         log local0. "Network accepted from client: \
         [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
  } else {
  reject
  log local0. "Client request rejected: \
         [IP::client_addr]:[TCP::client_port] -> [IP::local_addr]:[TCP::local_port]"
 }
}


Enjoy!