Created
April 22, 2021 08:35
-
-
Save Phenomite/98580b5653734e25fd4a4ebe9d80ee0c to your computer and use it in GitHub Desktop.
Webserver Config - Whitelist non-WARP Cloudflare Ranges and block all other traffic to Port 80/443
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
######################## | |
# CloudFlare Ranges Only | |
# | |
# Active non-WARP ranges as at: 7th May 2021 | |
# Latest list: for v in v4 v6;do curl "https://www.cloudflare.com/ips-$v";done | |
######################## | |
# Allow access to http (dport 80) | |
iptables -A INPUT -s 173.245.48.0/20 -p tcp --dport http -j ACCEPT | |
iptables -A INPUT -s 103.21.244.0/22 -p tcp --dport http -j ACCEPT | |
iptables -A INPUT -s 103.22.200.0/22 -p tcp --dport http -j ACCEPT | |
iptables -A INPUT -s 103.31.4.0/22 -p tcp --dport http -j ACCEPT | |
iptables -A INPUT -s 141.101.64.0/18 -p tcp --dport http -j ACCEPT | |
iptables -A INPUT -s 108.162.192.0/18 -p tcp --dport http -j ACCEPT | |
iptables -A INPUT -s 190.93.240.0/20 -p tcp --dport http -j ACCEPT | |
iptables -A INPUT -s 188.114.96.0/20 -p tcp --dport http -j ACCEPT | |
iptables -A INPUT -s 197.234.240.0/22 -p tcp --dport http -j ACCEPT | |
iptables -A INPUT -s 198.41.128.0/17 -p tcp --dport http -j ACCEPT | |
iptables -A INPUT -s 162.158.0.0/15 -p tcp --dport http -j ACCEPT | |
iptables -A INPUT -s 172.64.0.0/13 -p tcp --dport http -j ACCEPT | |
iptables -A INPUT -s 131.0.72.0/22 -p tcp --dport http -j ACCEPT | |
iptables -A INPUT -s 104.16.0.0/13 -p tcp --dport http -j ACCEPT | |
iptables -A INPUT -s 104.24.0.0/14 -p tcp --dport http -j ACCEPT | |
ip6tables -A INPUT -s 2400:cb00::/32 -p tcp --dport http -j ACCEPT | |
ip6tables -A INPUT -s 2606:4700::/32 -p tcp --dport http -j ACCEPT | |
ip6tables -A INPUT -s 2803:f800::/32 -p tcp --dport http -j ACCEPT | |
ip6tables -A INPUT -s 2405:b500::/32 -p tcp --dport http -j ACCEPT | |
ip6tables -A INPUT -s 2405:8100::/32 -p tcp --dport http -j ACCEPT | |
ip6tables -A INPUT -s 2a06:98c0::/29 -p tcp --dport http -j ACCEPT | |
ip6tables -A INPUT -s 2c0f:f248::/32 -p tcp --dport http -j ACCEPT | |
# Allow access to https (dport 443) | |
iptables -A INPUT -s 173.245.48.0/20 -p tcp --dport https -j ACCEPT | |
iptables -A INPUT -s 103.21.244.0/22 -p tcp --dport https -j ACCEPT | |
iptables -A INPUT -s 103.22.200.0/22 -p tcp --dport https -j ACCEPT | |
iptables -A INPUT -s 103.31.4.0/22 -p tcp --dport https -j ACCEPT | |
iptables -A INPUT -s 141.101.64.0/18 -p tcp --dport https -j ACCEPT | |
iptables -A INPUT -s 108.162.192.0/18 -p tcp --dport https -j ACCEPT | |
iptables -A INPUT -s 190.93.240.0/20 -p tcp --dport https -j ACCEPT | |
iptables -A INPUT -s 188.114.96.0/20 -p tcp --dport https -j ACCEPT | |
iptables -A INPUT -s 197.234.240.0/22 -p tcp --dport https -j ACCEPT | |
iptables -A INPUT -s 198.41.128.0/17 -p tcp --dport https -j ACCEPT | |
iptables -A INPUT -s 162.158.0.0/15 -p tcp --dport https -j ACCEPT | |
iptables -A INPUT -s 172.64.0.0/13 -p tcp --dport https -j ACCEPT | |
iptables -A INPUT -s 131.0.72.0/22 -p tcp --dport https -j ACCEPT | |
iptables -A INPUT -s 104.16.0.0/13 -p tcp --dport https -j ACCEPT | |
iptables -A INPUT -s 104.24.0.0/14 -p tcp --dport https -j ACCEPT | |
ip6tables -A INPUT -s 2400:cb00::/32 -p tcp --dport https -j ACCEPT | |
ip6tables -A INPUT -s 2606:4700::/32 -p tcp --dport https -j ACCEPT | |
ip6tables -A INPUT -s 2803:f800::/32 -p tcp --dport https -j ACCEPT | |
ip6tables -A INPUT -s 2405:b500::/32 -p tcp --dport https -j ACCEPT | |
ip6tables -A INPUT -s 2405:8100::/32 -p tcp --dport https -j ACCEPT | |
ip6tables -A INPUT -s 2a06:98c0::/29 -p tcp --dport https -j ACCEPT | |
ip6tables -A INPUT -s 2c0f:f248::/32 -p tcp --dport https -j ACCEPT | |
############################ | |
# IGNORE/DROP general access | |
############################ | |
iptables -A INPUT -p tcp --dport http -j DROP | |
iptables -A INPUT -p tcp --dport https -j DROP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment