24
iptables设置防火墙规则,仅允许cloudflare通过
source link: https://awsl.blog/2021/iptables-cloudflare-only
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
iptables设置防火墙规则,仅允许cloudflare通过
2021-02-11 | Linux | 暂无评论 | 136 次阅读 | 96字
1. 安装 ipset
apt install ipset
Shell
2. 新建防火墙组 cf4
ipset create cf4 hash:net
Shell
3. 在防火墙内填 Cloudflare的 IPv4 地址
for x in $(curl https://www.cloudflare.com/ips-v4); do ipset add cf4 $x; done
Shell
注意 :curl获得的内容由cloudflare提供。只在你信任它的情况下使用此命令。
4.将规则导入防火墙
iptables -A INPUT -m set --match-set cf4 src -p tcp -m multiport --dports http,https -j ACCEPT
Shell
5.封禁其他ip,确保防火墙是白名单
iptables -A INPUT -p tcp -m tcp --dport 80 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 443 -j DROP
iptables-save
6. 经常更新列表,并且把它导入防火墙
ipset destroy cf4
ipset create cf4 hash:net
iptables -A INPUT -m set --match-set cf4 src -p tcp -m
multiport --dports http,https -j ACCEPT
iptables-save
参考 https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules (如何列出和删除Iptables防火墙规则)
https://danielmiessler.com/blog/whitelisting-cloudflare-iptables/
https://gist.github.com/Manouchehri/cdd4e56db6596e7c3c5a (不太好用)
本篇文章采用 署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0) 许可协议进行许可。
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK