iRule to only allow traffic from US, Canada and private networks....

Question

We have a current iRule that only accepts traffic from the US or private networks ( non-routable ).  Shown below :
when CLIENT_ACCEPTED {
if {not ([whereis [IP::client_addr] country] eq "US") and not ([class match [IP::client_addr] equals "private_net"])
}
{reject}
}

We have now been asked to allow Canada as well.  We are very new to F5 and iRules and are unable to figure out the logic needed.
Any assistance would be greatly appreciated.  TIA.

lee_sutcliffe · Answer

Canada has a country code of 'CA' (see https://www.iso.org/obp/ui/search ) you could add another 'and' like the one for 'US' It might however be easier to maintain if you create a datagroup with the country codes, much like you've done with the IP addresses&nbsp;for example:&nbsp;when CLIENT_ACCEPTED {
  if {!([class match [whereis [IP::client_addr] country] equals "country_dg"]) &amp;&amp; !([class match [IP::client_addr] equals "private_net"])}{
    reject
  }
}

oguzy · Answer

Hi Tyson,&nbsp;You can try the below code:&nbsp;when CLIENT_ACCEPTED {
 if { not ([whereis [IP::client_addr] country] eq "US") and not ([whereis [IP::client_addr] country] eq "CA")} {
    if { not ( [class match [IP::client_addr] equals private_net] ) } {
        reject
    }
  } 
 }

Forum Discussion

iRule to only allow traffic from US, Canada and private networks....

2 Replies

Recent Discussions

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Related Content

Using F5 Distributed Cloud Network Connect to transit, route, & secure private cloud environments

What is Multi-Cloud Networking?

A complete Multi-Cloud Networking walkthrough with F5 Distributed Cloud

BIG-IP Orchestrate in private Data Center using Terraform Cloud Agent

Demo Guide & Video Series for F5 Distributed Cloud Network Connect (Multi-Cloud Networking)