cicku/cfv4.nft

## cfv4.nft
# https://www.cloudflare.com/ips-v4/
define cfv4 = {173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22}

## cfv6.nft
# https://www.cloudflare.com/ips-v6
define cfv6 = {2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32}

## jdv4.nft
# Must have China Network enabled, IP changes are regular from JD Cloud, this file is for demonstration only!
# https://api.cloudflare.com/client/v4/ips
define jdv4 = {14.204.96.192/27,14.204.96.224/27,27.36.126.192/27,27.36.126.224/27,27.128.218.192/27,27.128.218.224/27,36.136.95.0/27,36.136.95.32/27,36.147.52.128/27,36.147.52.160/27,36.154.11.224/27,42.81.59.0/26,42.81.59.64/26,42.236.121.128/27,42.236.121.160/27,58.243.179.64/27,58.243.179.96/27,60.13.99.0/26,60.13.99.64/26,61.159.93.0/27,61.159.93.32/27,61.159.93.128/27,61.159.93.160/27,101.69.205.192/27,101.69.205.224/27,103.44.252.0/27,103.44.252.32/27,103.114.102.192/27,103.114.102.224/27,111.62.54.128/27,111.62.54.160/27,111.170.27.64/27,111.170.27.96/27,112.21.164.64/27,112.29.217.64/27,112.29.217.96/27,112.49.47.64/27,112.49.47.96/27,113.56.217.64/27,113.56.217.96/27,113.240.104.128/26,113.240.104.192/26,114.67.161.0/28,114.67.161.32/27,114.67.161.64/28,114.67.161.80/28,114.67.192.192/28,114.67.192.208/28,116.163.41.0/26,116.163.41.64/26,116.177.241.192/27,116.177.241.224/27,116.198.49.128/28,116.198.49.144/28,116.198.165.0/28,116.198.165.16/28,119.0.67.0/27,119.0.67.32/27,119.188.204.0/27,119.188.204.32/27,120.206.188.192/27,120.206.188.224/27,120.220.55.64/27,120.220.55.96/27,120.241.124.64/27,120.241.124.96/27,121.17.125.0/27,121.17.125.32/27,122.226.163.192/27,122.226.163.224/27,124.166.232.0/27,124.166.232.32/27,124.225.84.0/27,124.225.84.32/27,150.138.153.128/26,150.138.153.192/26,171.15.37.128/27,171.15.37.160/27,182.201.240.192/27,182.201.240.224/27,182.242.62.128/27,182.242.62.160/27,183.131.87.192/27,183.131.87.224/27,183.248.220.128/27,183.248.220.160/27,198.41.130.0/28,198.41.130.16/28,218.207.1.0/27,218.207.1.32/27,221.10.20.0/27,221.10.20.32/27}

## jdv6.nft
# Must have China Network enabled, IP changes are regular from JD Cloud, this file is for demonstration only!
# https://api.cloudflare.com/client/v4/ips
define jdv6 = {,2400:cb00:164:0:1000::/68,2402:db40:51b5:10::/64,2403:1ec0:1400:ff01::/64,2403:1ec0:1400:ff05::/64,2403:1ec0:1400:ff10::/64,2403:1ec0:1610:ff05::/64,2408:8266:aa01:1:1000::/68,2408:8719:64:50:1000::/68,2408:871a:8810:205:1000::/68,2408:8720:806:102:1000::/68,2408:8726:3000:fff4:1000::/68,2408:8744:1000:9:1000::/68,2408:8752:600:6:1000::/68,2408:8756:4cff:d002:1000::/68,2408:8760:107:2:1000::/68,2408:876c:2c0:112:1000::/68,2409:8720:4001:2:1000::/68,2409:8728:5eff:100d:1000::/68,2409:8760:1e81:52:1000::/68,2409:8c04:1104:8:1000::/68,2409:8c34:d00:6:1000::/68,2409:8c38:c50:604:1000::/68,2409:8c3c:1400:5:1000::/68,2409:8c54:4010:27:1000::/68,2409:8c5c:b00:206:1000::/68,240e:b1:9801:20d:1000::/68,240e:c2:1800:14e:1000::/68,240e:f7:4d0f:601:1000::/68,240e:f7:7c00:821:1000::/68,240e:90d:1101:203:1000::/68,240e:914:6:d:1000::/68,240e:928:101:300:1000::/68,240e:935:a00:1706:1000::/68,240e:935:a00:1707:1000::/68,240e:938:a05:22:1000::/68,240e:93c:20a:2:1000::/68,240e:944:8:5:1000::/68,240e:94c:4000:1602:1000::/68,240e:95d:c02:7:1000::/68,240e:97c:4014:102:1000::/68}

## nftables.conf
#!/usr/bin/nft -f
# Copyright 2024 Christopher Meng
#
# This is an example nftables config file for only allowing Cloudflare IPs

include "/etc/nftables/*.nft"

table inet filter
delete table inet filter
table inet filter {
  set cfv4 {
    type ipv4_addr
    flags interval
    elements = $cfv4
}

  set cfv6 {
    type ipv6_addr
    flags interval
    elements = $cfv6
}

  set jdv4 {
    type ipv4_addr
    flags interval
    elements = $jdv4
}

  set jdv6 {
    type ipv6_addr
    flags interval
    elements = $jdv6
}

  chain input {
    type filter hook input priority filter
    policy drop

    tcp dport http ip saddr {@cfv4, @jdv4} accept
    tcp dport http ip6 saddr {@cfv6, @jdv6} accept
    tcp dport https ip saddr {@cfv4, @jdv4} accept
    tcp dport https ip6 saddr {@cfv6, @jdv6} accept
    counter
  }

  chain forward {
    type filter hook forward priority filter
    policy drop
  }
}
	# https://www.cloudflare.com/ips-v4/
	define cfv4 = {173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22}
	# https://www.cloudflare.com/ips-v6
	define cfv6 = {2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32}
	# Must have China Network enabled, IP changes are regular from JD Cloud, this file is for demonstration only!
	# https://api.cloudflare.com/client/v4/ips
	define jdv4 = {14.204.96.192/27,14.204.96.224/27,27.36.126.192/27,27.36.126.224/27,27.128.218.192/27,27.128.218.224/27,36.136.95.0/27,36.136.95.32/27,36.147.52.128/27,36.147.52.160/27,36.154.11.224/27,42.81.59.0/26,42.81.59.64/26,42.236.121.128/27,42.236.121.160/27,58.243.179.64/27,58.243.179.96/27,60.13.99.0/26,60.13.99.64/26,61.159.93.0/27,61.159.93.32/27,61.159.93.128/27,61.159.93.160/27,101.69.205.192/27,101.69.205.224/27,103.44.252.0/27,103.44.252.32/27,103.114.102.192/27,103.114.102.224/27,111.62.54.128/27,111.62.54.160/27,111.170.27.64/27,111.170.27.96/27,112.21.164.64/27,112.29.217.64/27,112.29.217.96/27,112.49.47.64/27,112.49.47.96/27,113.56.217.64/27,113.56.217.96/27,113.240.104.128/26,113.240.104.192/26,114.67.161.0/28,114.67.161.32/27,114.67.161.64/28,114.67.161.80/28,114.67.192.192/28,114.67.192.208/28,116.163.41.0/26,116.163.41.64/26,116.177.241.192/27,116.177.241.224/27,116.198.49.128/28,116.198.49.144/28,116.198.165.0/28,116.198.165.16/28,119.0.67.0/27,119.0.67.32/27,119.188.204.0/27,119.188.204.32/27,120.206.188.192/27,120.206.188.224/27,120.220.55.64/27,120.220.55.96/27,120.241.124.64/27,120.241.124.96/27,121.17.125.0/27,121.17.125.32/27,122.226.163.192/27,122.226.163.224/27,124.166.232.0/27,124.166.232.32/27,124.225.84.0/27,124.225.84.32/27,150.138.153.128/26,150.138.153.192/26,171.15.37.128/27,171.15.37.160/27,182.201.240.192/27,182.201.240.224/27,182.242.62.128/27,182.242.62.160/27,183.131.87.192/27,183.131.87.224/27,183.248.220.128/27,183.248.220.160/27,198.41.130.0/28,198.41.130.16/28,218.207.1.0/27,218.207.1.32/27,221.10.20.0/27,221.10.20.32/27}
	# Must have China Network enabled, IP changes are regular from JD Cloud, this file is for demonstration only!
	# https://api.cloudflare.com/client/v4/ips
	define jdv6 = {,2400:cb00:164:0:1000::/68,2402:db40:51b5:10::/64,2403:1ec0:1400:ff01::/64,2403:1ec0:1400:ff05::/64,2403:1ec0:1400:ff10::/64,2403:1ec0:1610:ff05::/64,2408:8266:aa01:1:1000::/68,2408:8719:64:50:1000::/68,2408:871a:8810:205:1000::/68,2408:8720:806:102:1000::/68,2408:8726:3000:fff4:1000::/68,2408:8744:1000:9:1000::/68,2408:8752:600:6:1000::/68,2408:8756:4cff:d002:1000::/68,2408:8760:107:2:1000::/68,2408:876c:2c0:112:1000::/68,2409:8720:4001:2:1000::/68,2409:8728:5eff:100d:1000::/68,2409:8760:1e81:52:1000::/68,2409:8c04:1104:8:1000::/68,2409:8c34:d00:6:1000::/68,2409:8c38:c50:604:1000::/68,2409:8c3c:1400:5:1000::/68,2409:8c54:4010:27:1000::/68,2409:8c5c:b00:206:1000::/68,240e:b1:9801:20d:1000::/68,240e:c2:1800:14e:1000::/68,240e:f7:4d0f:601:1000::/68,240e:f7:7c00:821:1000::/68,240e:90d:1101:203:1000::/68,240e:914:6:d:1000::/68,240e:928:101:300:1000::/68,240e:935:a00:1706:1000::/68,240e:935:a00:1707:1000::/68,240e:938:a05:22:1000::/68,240e:93c:20a:2:1000::/68,240e:944:8:5:1000::/68,240e:94c:4000:1602:1000::/68,240e:95d:c02:7:1000::/68,240e:97c:4014:102:1000::/68}
	#!/usr/bin/nft -f
	# Copyright 2024 Christopher Meng
	#
	# This is an example nftables config file for only allowing Cloudflare IPs

	include "/etc/nftables/*.nft"

	table inet filter
	delete table inet filter
	table inet filter {
	set cfv4 {
	type ipv4_addr
	flags interval
	elements = $cfv4
	}

	set cfv6 {
	type ipv6_addr
	flags interval
	elements = $cfv6
	}

	set jdv4 {
	type ipv4_addr
	flags interval
	elements = $jdv4
	}

	set jdv6 {
	type ipv6_addr
	flags interval
	elements = $jdv6
	}

	chain input {
	type filter hook input priority filter
	policy drop

	tcp dport http ip saddr {@cfv4, @jdv4} accept
	tcp dport http ip6 saddr {@cfv6, @jdv6} accept
	tcp dport https ip saddr {@cfv4, @jdv4} accept
	tcp dport https ip6 saddr {@cfv6, @jdv6} accept
	counter
	}

	chain forward {
	type filter hook forward priority filter
	policy drop
	}
	}