-
-
Save stokito/4dcf7d5610e563f3693ce9ff0ce8719d to your computer and use it in GitHub Desktop.
OpenWrt: Allow only CloudFlare to access HTTP 80 and HTTPS 443 ports. Use if your uhttpd is hidden behind CF. Put this file to /etc/firewall.user. NOTE: It uses HTTP to get the list of IPs because to wget via https we need to install ca-certs. This makes you vulnerable to MiTM attacks but that's ok to be protected from internet's hackers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://www.cloudflare.com/ips replace the ips-v4 with ips-v6 if needed | |
| # https://blog.cloudflare.com/cloudflare-now-supporting-more-ports/ | |
| for ip in `wget -qO- http://www.cloudflare.com/ips-v4`; do | |
| iptables -I INPUT -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -s $ip -j ACCEPT | |
| done |
well, just recently CL disabled the raw HTTP list. Now we have to fetch it via https.
I posted a question to CF https://community.cloudflare.com/t/http-www-cloudflare-com-ips-v4-redirects-to-https/201587
Blocks the connection on port
iptables -A INPUT -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j DROP
ip6tables -A INPUT -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j DROP
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@stokito thanks also for the script, I will implement it in my padavan firmware (xiaomi router 3g).