Last update at :2024-02-09,Edit by888u
Many friends who use foreign VPS have used cloudflare, which can prevent bad people from causing trouble. However, sometimes the site source IP will still be scanned. Today I will share with you how to set up iptables to ensure that your VPS only allows cloudflare’s IP. access. Set up iptables whitelist to allow Cloudflare access.
Refer to the official tutorial:
https://developers.cloudflare.com/fundamentals/get-started/setup/allow-cloudflare-ip-addresses/
First make sure you have installed iptables and ip6tables
Create a chain
iptables -N CLOUDFLARE ip6tables -N CLOUDFLARELet INPUT be referenced
iptables -A INPUT -j CLOUDFLARE ip6tables -A INPUT -j CLOUDFLAREThen add CF’s IP to the chain
for ip in `curl -s https://www.cloudflare.com/ips-v4`;do iptables -A CLOUDFLARE -p tcp -m multiport --dports http,https -s $ip -j ACCEPT done for ip in `curl -s https://www.cloudflare.com/ips-v6`;do ip6tables -A CLOUDFLARE -p tcp -m multiport --dports http,https -s $ip -j ACCEPT doneDo not allow access from other IPs
iptables -A INPUT -p tcp -m multiport --dport http,https -j DROP ip6tables -A INPUT -p tcp -m multiport --dport http,https -j DROPAfter doing it once, the script for scheduled execution is as follows: clear the link, then add the IP again and save it as a script, and execute it regularly
#Delete "not allowed all" first to avoid GG during the execution of the following command iptables -D INPUT -p tcp -m multiport --dport http,https -j DROP ip6tables -D INPUT -p tcp -m multiport --dport http,https -j DROP #Clear rules (old CF IP) iptables -F CLOUDFLARE ip6tables -F CLOUDFLARE #Add CF IP. You can make a judgment on the results of curl below to avoid possible problems with network problems. Write it yourself. for ip in `curl -s https://www.cloudflare.com/ips-v4`;do iptables -A CLOUDFLARE -s $i -j ACCEPT done for ip in `curl -s https://www.cloudflare.com/ips-v6`;do ip6tables -A CLOUDFLARE -s $i -j ACCEPT done mkdir -p /etc/iptables/ iptables-save > /etc/iptables/rules.v4 ip6tables-save > /etc/iptables/rules.v6 #Disable other IPs iptables -A INPUT -p tcp -m multiport --dport http,https -j DROP ip6tables -A INPUT -p tcp -m multiport --dport http,https -j DROPIf you no longer want to use it, clear the rules set above
iptables -F CLOUDFLARE ip6tables -F CLOUDFLARE iptables -D INPUT -j CLOUDFLARE ip6tables -D INPUT -j CLOUDFLARE iptables -X CLOUDFLARE ip6tables -X CLOUDFLARE iptables -D INPUT -p tcp --dport http,https -j DROP ip6tables -D INPUT -p tcp --dport http,https -j DROP > /etc/iptables/rules.v4 > /etc/iptables/rules.v6Add the persistence settings of iptables rules to avoid losing them after restart
#Save rules mkdir -p /etc/iptables/ iptables-save > /etc/iptables/rules.v4 ip6tables-save > /etc/iptables/rules.v6 #Quote rules iptables-restore < /etc/iptables/rules.v4 ip6tables-restore < /etc/iptables/rules.v6The above rules are set to the command executed at shutdown (or not required), and the rules are set to the command executed at startup. Or the network card is turned off and on. Also, after completing the new CF IP above, you need to save the rules (I have already written them down)
Recommended site searches: php hosting space, registration query network, mobile agent IP, US server URL, Ministry of Industry and Information Technology website registration, free application for domain name and space German server, domain name and host, foreign virtual space, Taiwan server rental,
发表评论