cybersecslayertech · July 10, 2023 20:58
diff --git a/iptables-web-allow_only_cloudflare_and_quic.sh b/iptables-web-allow_only_cloudflare_and_quic.sh
 ######
 ## Source:
 ## https://www.cloudflare.com/ips
 ## https://quic.cloud/docs/cdn/adding-quic-cloud-ips-to-allowlist/
 ##
 ## Author: Rodrigo Vieira
 ######

 ## CloudFlare
 # QUIC / HTTP/3
 for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p udp --dport 443 -s $i -j ACCEPT; done
 for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -p udp --dport 443 -s $i -j ACCEPT; done
 # TCP Ports
 for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -m multiport --dports 80,8080,8880,2052,2082,2086,2095,443,2053,2083,2087,2096,8443 -s $i -j ACCEPT; done
 for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -p tcp -m multiport --dports 80,8080,8880,2052,2082,2086,2095,443,2053,2083,2087,2096,8443 -s $i -j ACCEPT; done

 ## QUIC.cloud
 for i in `curl https://quic.cloud/ips?ln`; do iptables -I INPUT -p tcp -m multiport --dports 80,8080,8880,2052,2082,2086,2095,443,2053,2083,2087,2096,8443 -s $i -j ACCEPT; done
 #for i in `curl ?`; do ip6tables -I INPUT -p tcp -m multiport --dports 80,8080,2052,2082,2086,2095,443,2053,2083,2087,2096,8443 -s $i -j ACCEPT; done

 ## DROP connection to indicate filtered port on scanners
 #iptables -A INPUT -p tcp -m multiport --dports 80,8080,8880,2052,2082,2086,2095,443,2053,2083,2087,2096,8443 -j DROP
 #ip6tables -A INPUT -p tcp -m multiport --dports 80,8080,8880,2052,2082,2086,2095,443,2053,2083,2087,2096,8443 -j DROP

 ## REJECT with TCP Reset to indicate closed port on scanners
 iptables -A INPUT -p tcp -m multiport --dports 80,8080,8880,2052,2082,2086,2095,443,2053,2083,2087,2096,8443 -j REJECT --reject-with tcp-reset
 ip6tables -A INPUT -p tcp -m multiport --dports 80,8080,8880,2052,2082,2086,2095,443,2053,2083,2087,2096,8443 -j REJECT --reject-with tcp-reset

 ## Check iptables rules
 #iptables -nL INPUT --line-numbers
 #ip6tables -nL INPUT --line-numbers

 ## Delete any chain if you need
 #iptables -D INPUT 122
 #ip6tables -D INPUT 8

 ## Delete any duplicated rules
 #iptables-save | uniq | iptables-restore

 ## Save to persistent iptables to enable these rules in reboot
 #apt remove iptables-persistent
 #apt install iptables-persistent
 #dpkg-reconfigure iptables-persistent

 ## Check persistent iptables rules
 #nano /etc/iptables/rules.v4
 #nano /etc/iptables/rules.v6
	######
	## Source:
	## https://www.cloudflare.com/ips
	## https://quic.cloud/docs/cdn/adding-quic-cloud-ips-to-allowlist/
	##
	## Author: Rodrigo Vieira
	######

	## CloudFlare
	# QUIC / HTTP/3
	for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p udp --dport 443 -s $i -j ACCEPT; done
	for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -p udp --dport 443 -s $i -j ACCEPT; done
	# TCP Ports
	for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -m multiport --dports 80,8080,8880,2052,2082,2086,2095,443,2053,2083,2087,2096,8443 -s $i -j ACCEPT; done
	for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -p tcp -m multiport --dports 80,8080,8880,2052,2082,2086,2095,443,2053,2083,2087,2096,8443 -s $i -j ACCEPT; done

	## QUIC.cloud
	for i in `curl https://quic.cloud/ips?ln`; do iptables -I INPUT -p tcp -m multiport --dports 80,8080,8880,2052,2082,2086,2095,443,2053,2083,2087,2096,8443 -s $i -j ACCEPT; done
	#for i in `curl ?`; do ip6tables -I INPUT -p tcp -m multiport --dports 80,8080,2052,2082,2086,2095,443,2053,2083,2087,2096,8443 -s $i -j ACCEPT; done

	## DROP connection to indicate filtered port on scanners
	#iptables -A INPUT -p tcp -m multiport --dports 80,8080,8880,2052,2082,2086,2095,443,2053,2083,2087,2096,8443 -j DROP
	#ip6tables -A INPUT -p tcp -m multiport --dports 80,8080,8880,2052,2082,2086,2095,443,2053,2083,2087,2096,8443 -j DROP

	## REJECT with TCP Reset to indicate closed port on scanners
	iptables -A INPUT -p tcp -m multiport --dports 80,8080,8880,2052,2082,2086,2095,443,2053,2083,2087,2096,8443 -j REJECT --reject-with tcp-reset
	ip6tables -A INPUT -p tcp -m multiport --dports 80,8080,8880,2052,2082,2086,2095,443,2053,2083,2087,2096,8443 -j REJECT --reject-with tcp-reset

	## Check iptables rules
	#iptables -nL INPUT --line-numbers
	#ip6tables -nL INPUT --line-numbers

	## Delete any chain if you need
	#iptables -D INPUT 122
	#ip6tables -D INPUT 8

	## Delete any duplicated rules
	#iptables-save \| uniq \| iptables-restore

	## Save to persistent iptables to enable these rules in reboot
	#apt remove iptables-persistent
	#apt install iptables-persistent
	#dpkg-reconfigure iptables-persistent

	## Check persistent iptables rules
	#nano /etc/iptables/rules.v4
	#nano /etc/iptables/rules.v6