mikeconrad/random_scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add cloudflare firewall script

Browse Source
This commit is contained in:
mikeconrad
2024-09-16 09:00:57 -04:00
parent 321c986de4
commit eb350941fa
1 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
allow_only_cloudflare_traffic.sh Normal file
View File

@ -0,0 +1,19 @@
#!/usr/bin/env sh
# This is a simple script that will add appropriate iptables rules to only allow http/https
# traffic from Cloudflare proxies. See my blog article for more information. This script
# was mainly created to make it easier on myself.
# https://hackanooga.com/hardening-your-web-server-by-only-allowing-traffic-from-cloudflare/
# Provide the chain as well as the accept and deny targets.
# For example, on a router running OpenWrt it might look like this:
# ./allow_only_cloudflare_traffic.sh zone_wan_forward zone_lan_dest_ACCEPT zone_lan_dest_DENY
CHAIN=$1
ACCEPT_TARGET=$2
DENY_TARGET=$3
# Using wget for better portability
for ip in $(wget -qO- https://www.cloudflare.com/ips-v6); do ip6tables -A "$CHAIN" -s $ip -p tcp -m multiport --dports http,https -j "$ACCEPT_TARGET"; done
for ip in $(wget -qO- https://www.cloudflare.com/ips-v4); do iptables -A "$CHAIN" -s $ip -p tcp -m multiport --dports http,https -j "$ACCEPT_TARGET"; done
iptables -A "$CHAIN" -p tcp -m multiport --dports http,https -j "$DENY_TARGET"
ip6tables -A "$CHAIN" -p tcp -m multiport --dports http,https -j "$DENY_TARGET"