-
Star
(168)
You must be signed in to star a gist -
Fork
(50)
You must be signed in to fork a gist
-
-
Save Manouchehri/cdd4e56db6596e7c3c5a to your computer and use it in GitHub Desktop.
| # Source: | |
| # https://www.cloudflare.com/ips | |
| # https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-CloudFlare-s-IP-addresses-in-iptables- | |
| for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done | |
| for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done | |
| # Avoid racking up billing/attacks | |
| # WARNING: If you get attacked and CloudFlare drops you, your site(s) will be unreachable. | |
| iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP | |
| ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP | |
| # WARNING: This does NOT block Cloudflare's clients from accessing your website over HTTP or HTTPS with a Cloudflare Worker. |
can i use this script safely , it's won't look me out of my server right ?
#! /bin/bash apt install ufw -y ufw allow ssh for i in `curl https://www.cloudflare.com/ips-v4`; do ufw allow from $i to any port http; done for i in `curl https://www.cloudflare.com/ips-v4`; do ufw allow from $i to any port https; done for i in `curl https://www.cloudflare.com/ips-v6`; do ufw allow from $i to any port http; done for i in `curl https://www.cloudflare.com/ips-v6`; do ufw allow from $i to any port https; doneeasy way to apply rules on startup
Just adding on that if you want to do this with more ports, you can modify slightly:
#! /bin/bash
for i in `curl https://www.cloudflare.com/ips-v4`; do ufw allow from $i to any port http,https,69420,8443 proto tcp; done
for i in `curl https://www.cloudflare.com/ips-v4`; do ufw allow from $i to any port http,https,69420,8443 proto udp; done
...etcThis becomes more efficient if you want to apply the rules to a ton of ports in different ranges, else you might have 6000000 rules
If you are trying to drop connections to docker containers, these rules must be added to the DOCKER-USER chain, or they will not get dropped correctly.
To access the original destination ports of the docker container, the -m conntrack --ctorigdstport is used. --ctdir ORIGINAL is to drop only connections going to the container, not coming back from the container.
Discussion here: https://serverfault.com/questions/704643/steps-for-limiting-outside-connections-to-docker-container-with-iptables
The DROP must be added first, not appended, because the docker automatically appends a RETURN to the end of the chain.
iptables -I DOCKER-USER -p tcp -m conntrack --ctorigdstport http --ctdir ORIGINAL -j DROP
for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I DOCKER-USER -p tcp -m conntrack --ctorigdstport http --ctdir ORIGINAL -s $i -j ACCEPT;done
Repeat for other ports/ipv6. There's probably a better way but its working for me.
My life saver thx man i was facing DDos Attack on with 20milion request per hour
thanks!
yes use ip restore, in ny panel it's built in function however if you search in Google for cloudfalre ip restore you'll find it