#!/usr/bin/env sh

# This is a simple script that will add appropriate iptables rules to only allow http/https
# traffic from Cloudflare proxies.  See my blog article for more information.  This script
# was mainly created to make it easier on myself.
# https://hackanooga.com/hardening-your-web-server-by-only-allowing-traffic-from-cloudflare/

# Provide the chain as well as the accept and deny targets.
# For example, on a router running OpenWrt it might look like this:
# ./allow_only_cloudflare_traffic.sh zone_wan_forward zone_lan_dest_ACCEPT zone_lan_dest_DENY
CHAIN=$1
ACCEPT_TARGET=$2
DENY_TARGET=$3

# Using wget for better portability
for ip in $(wget -qO- https://www.cloudflare.com/ips-v6); do ip6tables -A "$CHAIN" -s $ip -p tcp -m multiport --dports http,https -j "$ACCEPT_TARGET"; done
for ip in $(wget -qO- https://www.cloudflare.com/ips-v4); do iptables -A "$CHAIN" -s $ip -p tcp -m multiport --dports http,https -j "$ACCEPT_TARGET"; done
iptables -A "$CHAIN" -p tcp -m multiport --dports http,https -j "$DENY_TARGET"
ip6tables -A "$CHAIN" -p tcp -m multiport --dports http,https -j "$DENY_TARGET"