I'm currently using the following modsecurity config on my webservers to block countries:
SecGeoLookupDb GeoIP.dat
SecRule REMOTE_ADDR "@geoLookup" "chain,id:1,deny,msg:'Block IN'"
SecRule GEO:COUNTRY_CODE "@streq IN"
Now for a new project I'm looking to allow only certain countries. Can this be done using a default rule that blocks all traffic and something like the following to allow a country?
SecGeoLookupDb GeoIP.dat
SecRule REMOTE_ADDR "@geoLookup" "chain,id:1,pass,msg:'Block IN'"
SecRule GEO:COUNTRY_CODE "@streq IN"
Yes it could. Or you could just do it in one chained rule using something like this:
SecGeoLookupDb /usr/local/geo/data/GeoLiteCity.dat
...
SecRule REMOTE_ADDR "@geoLookup" "chain,id:22,drop,msg:'Non-GB IP address'"
SecRule GEO:COUNTRY_CODE "!@streq GB"
Which will only allow GB.
This example is taken from the documentation: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#GEO
Or to allow multiple countries, try using the @pm operator:
SecRule REMOTE_ADDR "@geoLookup" "chain,id:22,drop,msg:'Non-GB or IE IP address'"
SecRule GEO:COUNTRY_CODE "!@pm GB IE"