modsecurity allow 1 country only

Question

I'm currently using the following modsecurity config on my webservers to block countries:

SecGeoLookupDb GeoIP.dat
SecRule REMOTE_ADDR "@geoLookup" "chain,id:1,deny,msg:'Block IN'"
SecRule GEO:COUNTRY_CODE "@streq IN"

Now for a new project I'm looking to allow only certain countries. Can this be done using a default rule that blocks all traffic and something like the following to allow a country?

SecGeoLookupDb GeoIP.dat
SecRule REMOTE_ADDR "@geoLookup" "chain,id:1,pass,msg:'Block IN'"
SecRule GEO:COUNTRY_CODE "@streq IN"

Barry Pollard · Accepted Answer · 2017-12-16T13:01:04.253

2

Yes it could. Or you could just do it in one chained rule using something like this:

SecGeoLookupDb /usr/local/geo/data/GeoLiteCity.dat
...
SecRule REMOTE_ADDR "@geoLookup" "chain,id:22,drop,msg:'Non-GB IP address'"
SecRule GEO:COUNTRY_CODE "!@streq GB"

Which will only allow GB.

This example is taken from the documentation: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#GEO

Or to allow multiple countries, try using the @pm operator:

SecRule REMOTE_ADDR "@geoLookup" "chain,id:22,drop,msg:'Non-GB or IE IP address'"
SecRule GEO:COUNTRY_CODE "!@pm GB IE"

edited Dec 16 '17 at 13:01

answered Dec 15 '17 at 19:40

Barry Pollard

40,655
7
76
92

Thanks! And what if I would like to allow 2 or 3 countries? – vespino Dec 16 '17 at 11:39
Added an example for that – Barry Pollard Dec 16 '17 at 13:01

modsecurity allow 1 country only

1 Answers1