IPTables + Cloudflare

tehwaffle · 02-03-2012, 03:33 AM

Hello,

I'm a big newb when it comes to Linux and IPTables.
However, I need help with the following:

I use Cloudflare for my site and want to make sure that only IP's of Cloudflare can access my site.
So that means any traffic is not allowed to visit my site directly by typing in the IP of my site in the browser. (It's a VPS.)

However, I have no clue how to do this with IPTables.
To say it in short: only allow certain IP's to port 80 and drop/block the other IP's.

The IP's of Cloudflare are (only these IP's are allowed to access my site):

Code:

204.93.240.0/24 (204.93.240.0 - 204.93.240.255)
204.93.177.0/24 (204.93.177.0 - 204.93.177.255)
199.27.128.0/21 (199.27.128.0 - 199.27.135.255)
173.245.48.0/20 (173.245.48.0 - 173.245.63.255)
103.22.200.0/22 (103.22.200.0 - 103.22.203.255)
141.101.64.0/18 (141.101.64.0 - 141.101.127.255)
108.162.192.0/18  (108.162.192.0 - 108.162.255.255)
2400:CB00:/32 (2400:CB00:0000:0000 - 2400:CB00:FFFF:FFFF)
2606:4700:/32(2606:4700:0000:0000 - 2606::4700:FFFF:FFFF)

Could anyone tell me how to do this in IPTables? And how to un-do it?
I'm willing to contribute a donation to linuxquestions.org if someone can help me with this.

Thanks.

fukawi1 · 02-03-2012, 04:07 AM

It is relatively easy.

Code:

for i in {"204.93.240.0/24", "204.93.177.0","199.27.128.0/21" etc etc}; do
    iptables -A INPUT -p tcp --dport 80 -s $i -J ACCEPT
done

iptables -A INPUT -p tcp --dport 80 -j DROP

the for loop creates a rule that will accept connections on port 80, from the subnets listed.
The next rule, will drop any connections on port 80, that dont match the above rules.

fukawi1 · 02-03-2012, 04:10 AM

I should add, to undo it, I would probably have a script that loaded a set of rules depending if you wanted it restricted or not. This could be run by cron for example.

The script would basically just change the drop rule, to an accept rule, allowing port 80 to any source IP

You would apply the same rules, to ip6tables for your IPv6 addresses..