tguruslan/update_cloudflare_iptables.sh

## update_cloudflare_iptables.sh
#!/bin/bash -x
for app in iptables ip6tables; do
  if [[ $app =~ 6 ]]; then
    index=6
  else
    index=4
  fi

  for chain in $($app -t filter -L -v -n | grep Chain | awk '{print $2}'); do
    for id in $($app -t filter -L --line-numbers -n -Z $chain | egrep "\:(443|80)" | awk '{print $1}' | sort -r); do
      $app -t filter -D $chain $id
    done
  done

  rule_chain=$($app -t filter -L -n 2>/dev/null | grep Chain | awk '{print $2}' | grep -i "allow" | grep -i "in");

  if [[ -z "$rule_chain" ]]; then
    rule_chain="INPUT"
  fi

  for i in $(cat "/root/whitelist_v${index}.txt") $(curl -s "https://www.cloudflare.com/ips-v${index}"); do
    $app -A $rule_chain -s $i -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
    $app -A $rule_chain -s $i -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
  done

  $app -A $rule_chain -p tcp --dport 80 -j DROP
  $app -A $rule_chain -p tcp --dport 443 -j DROP
done
	#!/bin/bash -x
	for app in iptables ip6tables; do
	if [[ $app =~ 6 ]]; then
	index=6
	else
	index=4
	fi

	for chain in $($app -t filter -L -v -n \| grep Chain \| awk '{print $2}'); do
	for id in $($app -t filter -L --line-numbers -n -Z $chain \| egrep "\:(443\|80)" \| awk '{print $1}' \| sort -r); do
	$app -t filter -D $chain $id
	done
	done

	rule_chain=$($app -t filter -L -n 2>/dev/null \| grep Chain \| awk '{print $2}' \| grep -i "allow" \| grep -i "in");

	if [[ -z "$rule_chain" ]]; then
	rule_chain="INPUT"
	fi

	for i in $(cat "/root/whitelist_v${index}.txt") $(curl -s "https://www.cloudflare.com/ips-v${index}"); do
	$app -A $rule_chain -s $i -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
	$app -A $rule_chain -s $i -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
	done

	$app -A $rule_chain -p tcp --dport 80 -j DROP
	$app -A $rule_chain -p tcp --dport 443 -j DROP
	done