This post contains Netscaler configuration information to help you block or deny access to your website based on the user’s country using a GeoIP database and returning a HTML page… The scenario is the following: We would like to increase the security of a website by allowing connections only from Sweden, Germany, Netherland and Luxembourg.
Here follows the configuration needed to make this work:
1. Access to GeoLite data created by MaxMind, which is available at MaxMind.
Get the free version from here….
2. Access to the GeoLite Country database which can be downloaded in CSV format from Geolite Country and call it “GeoIP.csv”
3. Create a folder on the Netscaler appliance under “/var” and call it “geoip” then upload the file to it “/var/geoip/GeoIP.csv”
4. Run the following command to import the location file:
add locationfile /var/geoip/GeoIP.csv -format GeoIP-Country
or do the same thing through the Web GUI
5. Run the following command to verify if the file is imported properly:
smali-vpx> show locationparameter Static Proximity —————- Database mode: File Flushing: Idle; Loading: Idle Context: geographic Qualifier 1 label: Continent Qualifier 2 label: Country Qualifier 3 label: Region Qualifier 4 label: City Qualifier 5 label: ISP Qualifier 6 label: Organization Location file (format: geoip-country): /var/geoip/GeoIP.csv Lines: 92653 Warnings: 0 Errors: 0 Current static entries: 92653 Current custom entries: 0 Done
6. Run the following command to create a responder action
add responder action “Display Banned Page” respondwith “\”<html><body><br><b>ATTENTION</b><br></br>You are connecting to yourcompany from the following IP adress <b>(\”+CLIENT.IP.SRC+\”)</b>. <br>This IP is categorised as banned, therefor you are getting this page displayed and unfortunately no access will be provided to our resources.<br><br>Sincerely,<br><b>Company Administrators</b></br></body></html>\”” -bypassSafetyCheck
7. Run the following command to create a responder policy Note: In this configuration we would even like to block all IP adresses that are used as anonymizers or VPN services (A1).
add responder policy Drop_None_Allowed_Countries “CLIENT.IP.SRC.MATCHES_LOCATION(\”*.SE.*.*.*.*\”).NOT && CLIENT.IP.SRC.MATCHES_LOCATION(\”*.NL.*.*.*.*\”).NOT && CLIENT.IP.SRC.MATCHES_LOCATION(\”*.DE.*.*.*.*\”).NOT && CLIENT.IP.SRC.MATCHES_LOCATION(\”*.LU.*.*.*.*\”).NOT && CLIENT.IP.SRC.MATCHES_LOCATION(\”*.A1.*.*.*.*\”)” “Display Banned Page”
8. Run the following command to bind the policy to a virtual server:
bind lb vserver <vservername> -policyName Drop_None_Allowed_Countries -priority 100
Excellent write up Peter.
Just two small corrections.
1. On the responder action you might need to add parameter for bypass like:
-bypassSafetyCheck YES
2. On the responder policy the last logic for A1 should be “OR”, otherwise you are not matching anything:
…snip
CLIENT.IP.SRC.MATCHES_LOCATION(\”*.LU.*.*.*.*\”).NOT || CLIENT.IP.SRC.MATCHES_LOCATION(\”*.A1.*.*.*.*\”)” “Display Banned Page”