This post contains Netscaler configuration information to help you block or deny access to your website based on the user’s country using a GeoIP database and returning a HTML page… The scenario is the following: We would like to increase the security of a website by allowing connections only from Sweden, Germany, Netherland and Luxembourg.

Here follows the configuration needed to make this work:
 
1. Access to GeoLite data created by MaxMind, which is available at MaxMind.
Get the free version from here….

2. Access to the GeoLite Country database which can be downloaded in CSV format from Geolite Country and call it “GeoIP.csv”

3. Create a folder on the Netscaler appliance under “/var” and call it “geoip” then upload the file to it “/var/geoip/GeoIP.csv”

4. Run the following command to import the location file:

add locationfile /var/geoip/GeoIP.csv -format GeoIP-Country

or do the same thing through the Web GUI
 
geoip

 

5. Run the following command to verify if the file is imported properly:

smali-vpx> show locationparameter Static Proximity —————- Database mode: File Flushing: Idle; Loading: Idle Context: geographic Qualifier 1 label: Continent Qualifier 2 label: Country Qualifier 3 label: Region Qualifier 4 label: City Qualifier 5 label: ISP Qualifier 6 label: Organization Location file (format: geoip-country):  /var/geoip/GeoIP.csv Lines: 92653 Warnings: 0 Errors: 0 Current static entries: 92653  Current custom entries: 0  Done

6. Run the following command to create a responder action

add responder action “Display Banned Page” respondwith “\”<html><body><br><b>ATTENTION</b><br></br>You are connecting to yourcompany from the following IP adress <b>(\”+CLIENT.IP.SRC+\”)</b>. <br>This IP is categorised as banned, therefor you are getting this page displayed and unfortunately no access will be provided to our resources.<br><br>Sincerely,<br><b>Company Administrators</b></br></body></html>\”” -bypassSafetyCheck

7. Run the following command to create a responder policy Note: In this configuration we would even like to block all IP adresses that are used as anonymizers or VPN services (A1).

add responder policy Drop_None_Allowed_Countries “CLIENT.IP.SRC.MATCHES_LOCATION(\”*.SE.*.*.*.*\”).NOT && CLIENT.IP.SRC.MATCHES_LOCATION(\”*.NL.*.*.*.*\”).NOT && CLIENT.IP.SRC.MATCHES_LOCATION(\”*.DE.*.*.*.*\”).NOT && CLIENT.IP.SRC.MATCHES_LOCATION(\”*.LU.*.*.*.*\”).NOT && CLIENT.IP.SRC.MATCHES_LOCATION(\”*.A1.*.*.*.*\”)” “Display Banned Page”

8. Run the following command to bind the policy to a virtual server:

bind lb vserver <vservername> -policyName Drop_None_Allowed_Countries -priority 100