Created
October 23, 2020 23:43
-
-
Save OopsieWoopsie/ae71ab7f3debeaed5d38d2ce1629f20a to your computer and use it in GitHub Desktop.
Only allow CloudFlare connections to your web server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # This script downloads the actual list of CloudFlare's IPv4/6 ranges | |
| # and allows them to connect to the 443 port (HTTPS) and drops | |
| # connections from other addresses. | |
| # This is to prevent DDoS attacks and attackers from using the "Host" | |
| # header to identify your server backend address. | |
| # download the lists and remove the trailing newline | |
| ranges4=$(curl -s https://www.cloudflare.com/ips-v4 | head -c -1) | |
| ranges6=$(curl -s https://www.cloudflare.com/ips-v6 | head -c -1) | |
| for range in $ranges4; do | |
| iptables -A INPUT -p tcp -s $range --dport 443 -j ACCEPT | |
| echo "Whitelisted IPv4 range $range" | |
| done | |
| for range in $ranges6; do | |
| ip6tables -A INPUT -p tcp -s $range --dport 443 -j ACCEPT | |
| echo "Whitelisted IPv6 range $range" | |
| done | |
| iptables -A INPUT -p tcp --dport 443 -j DROP | |
| ip6tables -A INPUT -p tcp --dport 443 -j DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment