Modsecurity block access from all countries except from a specific IP or specific remote host

Question

I have the below 3 rules in modsecurity.

Rule 1: Block all countries defined as high risk except US:

SecAction \
 "id:900600,\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:'tx.high_risk_country_codes = AD AE AF AG AI AL AM AO AQ AR...'"

#Allow only the below countries
SecRule REMOTE_ADDR "@geoLookup" "chain,id:2000001,drop,msg:'Countries allowed'"
SecRule GEO:COUNTRY_CODE "!@pm US"

Rule 2: Allow access from the following IP:

SecRule REMOTE_ADDR "^XX\.XX\.XX\.XX$" "phase:1,id:2000002,nolog,allow,msg:'Allow access from IP XX.XX.XX.XX'"

Rule 3: Allow access from the following remote host:

SecRule REMOTE_HOST "host\.name\.com$" "phase:1,id:2000003,nolog,allow,msg:'Allow access from host.name.com'"

All rules work well if we take any one of them. However, I'd like to "merge" them into one rule which does the following:

Block all access from the forbidden countries (Rule 1), except when the request comes from IP XX.XX.XX.XX (Rule 2) or except when the host is host.name.com (Rule 3).

How can I do that in modscurity?

Answer 1

CRS Dev-On-Duty here. I think you can achieve your goal with the action skipAfter and a SecMarker.

• Add SecMarker BEGIN_IP_CHECK
• Add rule 2 and add skipAfter:END_IP_CHECK to rule 2.
• Add rule 3 and add skipAfter:END_IP_CHECK to rule 3.
• Add rule 1 (which will only be processed when rule 2 and 3 do not match)
• Add SecMarker END_IP_CHECK