Skip to content

Instantly share code, notes, and snippets.

@faceslog
Last active January 2, 2023 19:33
Show Gist options
  • Save faceslog/7025b9fd3bd9c0bda98d2773125772f4 to your computer and use it in GitHub Desktop.
Save faceslog/7025b9fd3bd9c0bda98d2773125772f4 to your computer and use it in GitHub Desktop.
Whitelist cloudflare IPs in UFW from (https://github.com/drvy/ufw-cloudflare)
#!/bin/sh
cfufw_deleted=0
cfufw_created=0
cfufw_ignored=0
cfufw_nonew=0
cfufw_purge=0
cfufw_showhelp=0
cf_ufw_add () {
if [ ! -z $1 ]; then
rule=$(LC_ALL=C && ufw allow from $1 to any port 80,443 proto tcp comment "cloudflare")
if [ "$rule" = 'Rule added' ] || [ "$rule" = 'Rule added (v6)' ]; then
cfufw_created=$((cfufw_created+1))
return
fi
fi
cfufw_ignored=$((cfufw_ignored+1))
}
cf_ufw_del () {
if [ ! -z $1 ]; then
rule=$(LC_ALL=C && ufw delete allow from $1 to any port 80,443 proto tcp)
if [ "$rule" = 'Rule deleted' ] || [ "$rule" = 'Rule deleted (v6)' ]; then
echo -n "\e[31m-\e[39m"
cfufw_deleted=$((cfufw_deleted+1))
return
fi
fi
echo -n "\e[90m.\e[39m"
cfufw_ignored=$((cfufw_ignored+1))
}
cf_ufw_purge () {
total="$(sudo ufw status numbered | awk '/\# cloudflare$/ {++count} END {print count}')"
i=1
if [ -z $total ]; then
cfufw_deleted=0
return
fi
while [ $i -le $total ]; do
cfip=$(sudo ufw status numbered | awk '/\# cloudflare$/{print $6; exit}')
cf_ufw_del $cfip
i=$((i+1))
done
}
echo '█▀▀ █▀▀   █░█ █▀▀ █░█░█'
echo '█▄▄ █▀░   █▄█ █▀░ ▀▄▀▄▀'
echo ''
for arg in "$@"; do
case "$arg" in
'--purge') cfufw_purge=1 ;;
'-p') cfufw_purge=1 ;;
'--no-new') cfufw_nonew=1 ;;
'-n') cfufw_nonew=1 ;;
'--help') cfufw_showhelp=1 ;;
'-h') cfufw_showhelp=1 ;;
esac
done
if [ $cfufw_showhelp -eq 1 ]; then
echo 'ufw-cf.sh 2.0 (https://github.com/drvy/ufw-cloudflare)'
echo 'Retrieve Cloudflare IPs and create allow rules in UFW (80 and 443 tcp) for each.'
echo 'Usage: ./ufw-cf.sh [options]'
echo 'OPTIONS:'
echo "\t--help (-h) : This."
echo "\t--purge (-p) : Remove existing CF rules (Deletes rules with #cloudflare comment)."
echo "\t--no-new (-n): Does not download CF IPs and does not add any rule to UFW."
echo 'EXAMPLES:'
echo "\t./ufw-cf.sh --purge"
echo "\t./ufw-cf.sh --purge --no-new"
exit
fi
if [ $cfufw_purge -eq 1 ]; then
cf_ufw_purge
fi
if [ $cfufw_nonew -eq 0 ]; then
[ -e /tmp/cloudflare-ips.txt ] && rm /tmp/cloudflare-ips.txt
touch /tmp/cloudflare-ips.txt
wget https://www.cloudflare.com/ips-v4 -q -O ->> /tmp/cloudflare-ips.txt
echo "" >> /tmp/cloudflare-ips.txt
wget https://www.cloudflare.com/ips-v6 -q -O ->> /tmp/cloudflare-ips.txt
for cfip in `cat /tmp/cloudflare-ips.txt`; do
cf_ufw_add "${cfip}"
done
[ -e /tmp/cloudflare-ips.txt ] && rm /tmp/cloudflare-ips.txt
fi
echo ''
echo "Total rules deleted: ${cfufw_deleted}"
echo "Total rules created: ${cfufw_created}"
echo "Total rules ignored: ${cfufw_ignored}"
echo 'Done.'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment