From eb350941fa595e99ad487d89d63a1a886099a10f Mon Sep 17 00:00:00 2001
From: mikeconrad <mikeconrad@onmail.com>
Date: Mon, 16 Sep 2024 09:00:57 -0400
Subject: [PATCH] Add cloudflare firewall script

---
 allow_only_cloudflare_traffic.sh | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 allow_only_cloudflare_traffic.sh

diff --git a/allow_only_cloudflare_traffic.sh b/allow_only_cloudflare_traffic.sh
new file mode 100644
index 0000000..bc882fb
--- /dev/null
+++ b/allow_only_cloudflare_traffic.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env sh
+
+# This is a simple script that will add appropriate iptables rules to only allow http/https
+# traffic from Cloudflare proxies.  See my blog article for more information.  This script
+# was mainly created to make it easier on myself.
+# https://hackanooga.com/hardening-your-web-server-by-only-allowing-traffic-from-cloudflare/
+
+# Provide the chain as well as the accept and deny targets.
+# For example, on a router running OpenWrt it might look like this:
+# ./allow_only_cloudflare_traffic.sh zone_wan_forward zone_lan_dest_ACCEPT zone_lan_dest_DENY
+CHAIN=$1
+ACCEPT_TARGET=$2
+DENY_TARGET=$3
+
+# Using wget for better portability
+for ip in $(wget -qO- https://www.cloudflare.com/ips-v6); do ip6tables -A "$CHAIN" -s $ip -p tcp -m multiport --dports http,https -j "$ACCEPT_TARGET"; done
+for ip in $(wget -qO- https://www.cloudflare.com/ips-v4); do iptables -A "$CHAIN" -s $ip -p tcp -m multiport --dports http,https -j "$ACCEPT_TARGET"; done
+iptables -A "$CHAIN" -p tcp -m multiport --dports http,https -j "$DENY_TARGET"
+ip6tables -A "$CHAIN" -p tcp -m multiport --dports http,https -j "$DENY_TARGET"