Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Cloudflare IPTABLES and IPSET scripts
#/bin/sh
# name of the ipset - v4 or v6 will be appended.
IPSET_NAME=cloudflare-
# argument: v4 or v6 (defaults to v4)
cloudflare_ipset ()
{
local ipv
local inetv
if [ -z "$1" ]; then ipv="v4"; else ipv="$1"; fi
if [ "$ipv" == 'v4' ]
then inetv="inet"
else inetv="inet6"
fi
IPSET_NAME="$IPSET_NAME$ipv"
local content_re='^[0-9a-f:.\r\n/ ]+$'
local url="https://www.cloudflare.com/ips-$ipv"
local ipdata; # local is a command that affects $?, so must be separate!
ipdata=$(curl --fail "$url" 2>/dev/null | tr -s "[:space:]" " ")
local ret=$?
if [ $ret -eq 0 ] && [[ $ipdata =~ $content_re ]]; then
if ipset list $IPSET_NAME 2>/dev/null 1>/dev/null
then
echo "Updating $IPSET_NAME set..."
ipset flush $IPSET_NAME
else
echo "Creating $IPSET_NAME set..."
ipset create $IPSET_NAME hash:net family $inetv
fi
for i in $ipdata
do
ipset add $IPSET_NAME $i
done
local count=`ipset list $IPSET_NAME | wc -l`
count=$((count-7))
echo "Set $IPSET_NAME now has $count entries."
return 0
else
echo "Download failed, sets not modified."
return 1
fi
}
cloudflare_ipset "$1"
exit $?
#/bin/sh
# name of the custom chain:
CHAIN_NAME=cloudflare
# target for the last (default) rule in the chain:
# (use REJECT, DROP or a custom chain name, ACCEPT would not make sense)
CHAIN_POLICY=DROP
# argument: v4 or v6 (defaults to v4)
cloudflare_iptables ()
{
local ipv
if [ -z "$1" ]; then ipv="v4"; else ipv="$1"; fi
local iptcmd
if [ "$ipv" == 'v4' ]
then iptcmd="iptables"
else iptcmd="ip6tables"
fi
local content_re='^[0-9a-f:.\r\n/ ]+$'
local url="https://www.cloudflare.com/ips-$ipv"
local ipdata; # local is a command that affects $?, so must be separate!
ipdata=$(curl --fail "$url" 2>/dev/null | tr -s "[:space:]" " ")
local ret=$?
if [ $ret -eq 0 ] && [[ $ipdata =~ $content_re ]]; then
if $iptcmd --list-rules $CHAIN_NAME 2>/dev/null 1>/dev/null
then
echo "Updating $CHAIN_NAME chain..."
$iptcmd --flush $CHAIN_NAME
else
echo "Creating $CHAIN_NAME chain..."
$iptcmd --new-chain $CHAIN_NAME
fi
for i in $ipdata
do
$iptcmd -A $CHAIN_NAME -s $i -j ACCEPT
done
$iptcmd -A $CHAIN_NAME -j $CHAIN_POLICY
local count=`$iptcmd --list-rules $CHAIN_NAME | wc -l`
count=$((count-1))
echo "Chain $CHAIN_NAME now has $count rules."
return 0
else
echo "Download failed, chains not modified."
return 1
fi
}
cloudflare_iptables "$1"
exit $?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment