Created
June 17, 2019 15:00
-
-
Save ilude/8ed0579b76d08bfc70ae940d3fe43f8e to your computer and use it in GitHub Desktop.
Create an ip set and us it to only allow cloudflare ip addresses through to port 4443
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # create the default iplist | |
| sudo ipset create -exist cf4 hash:net | |
| # check if the iptables rule exists and create it if it does not exist | |
| sudo iptables -C INPUT -m set --match-set cf4 src -p tcp --dport 4443 -j ACCEPT > /dev/null 2>&1 | |
| if [ $? -eq 0 ]; then | |
| echo "cf4 rule already exists!" | |
| else | |
| sudo iptables -A INPUT -m set --match-set cf4 src -p tcp --dport 4443 -j ACCEPT | |
| sudo iptables -A INPUT -p tcp --dport 4443 -j DROP | |
| fi | |
| # create a temp ipset list and flush it | |
| sudo ipset create -exist cf4.new hash:net | |
| sudo ipset flush cf4.new | |
| # add all the cloudflare ip addresses to the temp set | |
| for x in $(curl -s https://www.cloudflare.com/ips-v4); do sudo ipset add cf4.new $x; done | |
| # swap the temp set for the active set used by the iptables rule | |
| sudo ipset swap cf4.new cf4 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment