Yes, but keep in mind, anyone could try and establish a connection from the country you’ve blocked at Cloudflare with Firewall Rules by going directly to the origin IP address (aside from HTTPS at Cloudflare where they’d get 1020 blocked page, access denied) - if they know it, except you only.
However, using cloudflared tunnel and limiting to allow only Cloudflare IPs to connect to your origin server, you’d be in a better position, if so.
One thing coming to my mind is, Imunify360. If you have it installed at your origin host/server and chose to block some XYZ countries, they can’t even establish a connection to your origin host. That is exactly the way to block countries in your iptables for the example, and not only to your websites via HTTP(S).
Not sure what are you using, but I’ve used geoip database with Nginx with which I limited access to some parts of my origin host for specific countries as the particular apps are being in use (despite those blocked countries could establish the connection as they weren’t blocked in iptables).
When your DNS records are you are getting both. The traffic is going through Cloudflare, requests will be filtered out then the allowed ones will be sent to your server where the nginx config will filter out some more.
①(ip.geoip.country ne “JP” and ip.geoip.country ne “US”)
②(ip.geoip.country eq “US” and not cf.client.bot)
③ (ip.geoip.country eq “JP”) ←Set to confirm the number
④ (cf.client.bot) ←Set to confirm numbers
Now only 4 is used.
Previously, when I had the same settings, ① was used a lot. (without Nginx)
Now only 4 is used.
Once there is an Allow action, then Cloudflare is no longer checking other Firewall rules.
For example, the Allow action takes precedence over the Block action. In a case where a request matches a rule with the Allow action and another with the Block action, precedence resolves the tie, and Cloudflare allows the request.
There are two exceptions to this behavior: the Log and Bypass actions. Unlike other actions, Log and Bypass do not terminate further evaluation within firewall rules
What are the actions set for the firewall rules? Open a firewall activity and see what rule allowed the request.