-
-
Save stokito/4dcf7d5610e563f3693ce9ff0ce8719d to your computer and use it in GitHub Desktop.
OpenWrt: Allow only CloudFlare to access HTTP 80 and HTTPS 443 ports. Use if your uhttpd is hidden behind CF. Put this file to /etc/firewall.user. NOTE: It uses HTTP to get the list of IPs because to wget via https we need to install ca-certs. This makes you vulnerable to MiTM attacks but that's ok to be protected from internet's hackers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://www.cloudflare.com/ips replace the ips-v4 with ips-v6 if needed | |
| # https://blog.cloudflare.com/cloudflare-now-supporting-more-ports/ | |
| for ip in `wget -qO- http://www.cloudflare.com/ips-v4`; do | |
| iptables -I INPUT -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -s $ip -j ACCEPT | |
| done |
@stokito thanks also for the script, I will implement it in my padavan firmware (xiaomi router 3g).
well, just recently CL disabled the raw HTTP list. Now we have to fetch it via https.
I posted a question to CF https://community.cloudflare.com/t/http-www-cloudflare-com-ips-v4-redirects-to-https/201587
Blocks the connection on port
iptables -A INPUT -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j DROP
ip6tables -A INPUT -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j DROP
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The HTTP ports that Cloudflare support are:
80
8080
8880
2052
2082
2086
2095
The HTTPs ports that Cloudflare support are:
443
2053
2083
2087
2096
8443
https://support.cloudflare.com/hc/en-us/articles/200169156-Identifying-network-ports-compatible-with-Cloudflare-s-proxy