Skip to content

Instantly share code, notes, and snippets.

@OopsieWoopsie
Created October 23, 2020 23:43
Show Gist options
  • Save OopsieWoopsie/ae71ab7f3debeaed5d38d2ce1629f20a to your computer and use it in GitHub Desktop.
Save OopsieWoopsie/ae71ab7f3debeaed5d38d2ce1629f20a to your computer and use it in GitHub Desktop.
Only allow CloudFlare connections to your web server
#!/bin/bash
# This script downloads the actual list of CloudFlare's IPv4/6 ranges
# and allows them to connect to the 443 port (HTTPS) and drops
# connections from other addresses.
# This is to prevent DDoS attacks and attackers from using the "Host"
# header to identify your server backend address.
# download the lists and remove the trailing newline
ranges4=$(curl -s https://www.cloudflare.com/ips-v4 | head -c -1)
ranges6=$(curl -s https://www.cloudflare.com/ips-v6 | head -c -1)
for range in $ranges4; do
iptables -A INPUT -p tcp -s $range --dport 443 -j ACCEPT
echo "Whitelisted IPv4 range $range"
done
for range in $ranges6; do
ip6tables -A INPUT -p tcp -s $range --dport 443 -j ACCEPT
echo "Whitelisted IPv6 range $range"
done
iptables -A INPUT -p tcp --dport 443 -j DROP
ip6tables -A INPUT -p tcp --dport 443 -j DROP
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment