Last active
January 22, 2024 17:28
-
-
Save KiNgMaR/6298661 to your computer and use it in GitHub Desktop.
Cloudflare IPTABLES and IPSET scripts - fixed 2022-02-23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # name of the ipset - v4 or v6 will be appended. | |
| IPSET_NAME=cloudflare- | |
| # argument: v4 or v6 (defaults to v4) | |
| cloudflare_ipset () | |
| { | |
| local ipv | |
| local inetv | |
| if [ -z "$1" ]; then ipv="v4"; else ipv="$1"; fi | |
| if [ "$ipv" = "v4" ] | |
| then inetv="inet" | |
| else inetv="inet6" | |
| fi | |
| IPSET_NAME="$IPSET_NAME$ipv" | |
| local content_re='^[0-9a-f:.\r\n/ ]+$' | |
| local url="https://www.cloudflare.com/ips-$ipv/" | |
| local ipdata; # local is a command that affects $?, so must be separate! | |
| ipdata=$(curl --fail -L "$url" 2>/dev/null | tr -s "[:space:]" " ") | |
| local ret=$? | |
| if [ $ret -eq 0 ] && [[ $ipdata =~ $content_re ]]; then | |
| if ipset list $IPSET_NAME 2>/dev/null 1>/dev/null | |
| then | |
| echo "Updating $IPSET_NAME set..." | |
| ipset flush $IPSET_NAME | |
| else | |
| echo "Creating $IPSET_NAME set..." | |
| ipset create $IPSET_NAME hash:net family $inetv | |
| fi | |
| for i in $ipdata | |
| do | |
| ipset add $IPSET_NAME $i | |
| done | |
| local count=`ipset list $IPSET_NAME | wc -l` | |
| count=$((count-7)) | |
| echo "Set $IPSET_NAME now has $count entries." | |
| return 0 | |
| else | |
| echo "Download failed, sets not modified." | |
| return 1 | |
| fi | |
| } | |
| cloudflare_ipset "$1" | |
| exit $? |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # name of the custom chain: | |
| CHAIN_NAME=cloudflare | |
| # target for the last (default) rule in the chain: | |
| # (use REJECT, DROP or a custom chain name, ACCEPT would not make sense) | |
| CHAIN_POLICY=DROP | |
| # argument: v4 or v6 (defaults to v4) | |
| cloudflare_iptables () | |
| { | |
| local ipv | |
| if [ -z "$1" ]; then ipv="v4"; else ipv="$1"; fi | |
| local iptcmd | |
| if [ "$ipv" = "v4" ] | |
| then iptcmd="iptables" | |
| else iptcmd="ip6tables" | |
| fi | |
| local content_re='^[0-9a-f:.\r\n/ ]+$' | |
| local url="https://www.cloudflare.com/ips-$ipv/" | |
| local ipdata; # local is a command that affects $?, so must be separate! | |
| ipdata=$(curl --fail -L "$url" 2>/dev/null | tr -s "[:space:]" " ") | |
| local ret=$? | |
| if [ $ret -eq 0 ] && [[ $ipdata =~ $content_re ]]; then | |
| if $iptcmd --list-rules $CHAIN_NAME 2>/dev/null 1>/dev/null | |
| then | |
| echo "Updating $CHAIN_NAME chain..." | |
| $iptcmd --flush $CHAIN_NAME | |
| else | |
| echo "Creating $CHAIN_NAME chain..." | |
| $iptcmd --new-chain $CHAIN_NAME | |
| fi | |
| for i in $ipdata | |
| do | |
| $iptcmd -A $CHAIN_NAME -s $i -j ACCEPT | |
| done | |
| $iptcmd -A $CHAIN_NAME -j $CHAIN_POLICY | |
| local count=`$iptcmd --list-rules $CHAIN_NAME | wc -l` | |
| count=$((count-1)) | |
| echo "Chain $CHAIN_NAME now has $count rules." | |
| return 0 | |
| else | |
| echo "Download failed, chains not modified." | |
| return 1 | |
| fi | |
| } | |
| cloudflare_iptables "$1" | |
| exit $? |
Thank you for the hint, should be all better now!
Wonderful - thank you for the script. :)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The URL has changed to:
https://www.cloudflare.com/ips-v4/
.. with the trailing slash, the old URL has a 301 redirect but curl will not follow this by default. Currently downloads fail as curl will not follow redirects, unless passed the -L
So maybe update the URL and the curl options so it will follow redirects if they change it again? :)