Visit Our UNIX and Linux User Community


Cloudflare and iptables


 
Thread Tools Search this Thread
Top Forums UNIX for Beginners Questions & Answers Cloudflare and iptables
# 1  
Old 04-11-2020
Cloudflare and iptables

Hello everybody,

I set an IPTables rules to block SYN, Spams, Floods,.. and I added cloudflare IPs (IP4v) into a whitelist, I always wonder the website generate a 522 Error, when I unblock all banned IPs, the website runs safely.

Below are the rules:

Code:
#!/bin/sh

# Set to 0
iptables -t filter -F
iptables -t filter -X

# Block all
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP


#To block all packets from your own IP
#https://linoxide.com/firewall/block-common-attacks-iptables/
iptables -A INPUT -s MY.SERVER.IP -j DROP


###################################################
 # CloudFlare Web Application Firewall / CDN Access
#  https://rietta.com/blog/using-iptables-to-require-cloudflare/
################################################### 

#
# CloudFlare Network has Access to HTTP (port 80)
#
iptables -A INPUT -s 173.245.48.0/20 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 103.21.244.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 103.22.200.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 103.31.4.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 141.101.64.0/18 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 108.162.192.0/18 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 190.93.240.0/20 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 188.114.96.0/20 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 197.234.240.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 198.41.128.0/17 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 162.158.0.0/15 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 104.16.0.0/12 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 172.64.0.0/13 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 131.0.72.0/22 -p tcp --dport http -j ACCEPT

#
# CloudFlare Network has Access to Encrypted HTTPS (port 443)
#
iptables -A INPUT -s 173.245.48.0/20 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 103.21.244.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 103.22.200.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 103.31.4.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 141.101.64.0/18 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 108.162.192.0/18 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 190.93.240.0/20 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 188.114.96.0/20 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 197.234.240.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 198.41.128.0/17 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 162.158.0.0/15 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 104.16.0.0/12 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 172.64.0.0/13 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 131.0.72.0/22 -p tcp --dport https -j ACCEPT


#To protect against generic ICMP flood attacks
#https://www.sbarjatiya.com/notes_wiki/index.php/Rate_limiting_using_iptables
iptables -A INPUT -p icmp -m limit --limit 60/minute --limit-burst 120 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/minute --limit-burst 2 -j LOG
iptables -A INPUT -p icmp -j DROP

#To control network usage
iptables -A OUTPUT -p tcp -m tcp --dport 80 -m limit --limit 4/second --limit-burst 12 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -m limit --limit 1/minute --limit-burst 1 -j LOG
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j DROP

#For limiting the number of icmp packets
#https://linoxide.com/firewall/block-common-attacks-iptables/
#iptables -A INPUT -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT
#iptables -A INPUT -p tcp -m state --state NEW -j DROP


#https://hakin9.org/syn-flood-attacks-how-to-protect-article/
#These rules limit the rate of SYN requests from one IP to 20 per minute
iptables -A INPUT -p tcp -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
iptables -A INPUT -p tcp -m state --state NEW -m recent --set -j ACCEPT

#https://hakin9.org/syn-flood-attacks-how-to-protect-article/
#Some SYN attacks are easy to filter because they have the same 'unusual' parameters in the TCP header.
#MSS (Maximum Segment Size) maximum size of the segment that a host initiating the connection wants to allow
iptables -t mangle -I PREROUTING -p tcp -m tcp --dport 80 -m state --state NEW -m tcpmss ! --mss 536:65535 -j DROP

# CONN
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Loopback (127.0.0.1)
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

# ICMP (ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT

# SSH IN/OUT
iptables -t filter -A INPUT -p tcp --dport 1981 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 1981 -j ACCEPT

# DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT

# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
# HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT

# FTP Out
iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 20 -j ACCEPT
# FTP In
# imodprobe ip_conntrack_ftp # ligne facultative avec les serveurs OVH
iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Mail SMTP:25
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
# Mail POP3:110
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
# Mail IMAP:143
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
# Mail POP3S:995
iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT

# Monit
iptables -t filter -A INPUT -p tcp --dport 1983 -j ACCEPT

# Webmin
iptables -t filter -A INPUT -p tcp --dport 8183 -j ACCEPT

# Ajenti
iptables -A INPUT -p udp -m state --state NEW --dport 8000 -j ACCEPT 
iptables -A INPUT -p tcp -m state --state NEW --dport 8000 -j ACCEPT

# Transmission:
iptables -A OUTPUT -p tcp --dport 9091 -j ACCEPT
iptables -A INPUT -p tcp --dport 9091 -j ACCEPT
iptables -A INPUT -p tcp --dport 51413 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 51413 -j ACCEPT

#https://linoxide.com/firewall/block-common-attacks-iptables/
#https://doc.ubuntu-fr.org/iptables
# Drop XMAS and NULL scans.
iptables -A INPUT -p tcp --tcp-flags ALL,FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# Drop broadcated CONN
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP


#Allow Server2 to access MySQL DataBase
#iptables -A INPUT -i eth0 -s MY.SERVER.IP -p tcp --destination-port 3306 -j ACCEPT

# Client mysql / Access to remote MySQL into server1
#iptables -t filter -A INPUT -p tcp --dport 3306 -j ACCEPT
#iptables -t filter -A OUTPUT -p tcp --dport 3306 -j ACCEPT

Thanks in advance
# 2  
Old 04-12-2020
Normally,

It is a good idea to start from the top, but the method is up to you:

Comment out all the lines except for the top line, flush iptables, reapply and test.

If it works, uncomment one or more lines and try again.

Repeat until you find the offending line or lines.
These 2 Users Gave Thanks to Neo For This Post:
# 3  
Old 04-12-2020
@Neo: Basically if an IP (range of IP) is whitelisted, it should not be blocked, or may cloudflare are using other IPs than those mentioned in their file

Previous Thread | Next Thread
Test Your Knowledge in Computers #259
Difficulty: Easy
Steve Jobs was born in San Francisco, California, and put up for adoption.
True or False?

10 More Discussions You Might Find Interesting

1. Ubuntu

iptables

Hi I need help with an iptables configuration, this is what I have server A Server B A and B are using different gateways i am sending port 22 from A to B, I see the packages coming in B but B is not sending the package to internet. please give me some examples. (0 Replies)
Discussion started by: lmartinez073
0 Replies

2. Red Hat

iptables help for port 80

Hi I enable the IPtables but port 80 was not working. Below is my active configuration (10 Replies)
Discussion started by: ranjancom2000
10 Replies

3. IP Networking

Help with iptables

photo... (1 Reply)
Discussion started by: beerpong1
1 Replies

4. UNIX for Dummies Questions & Answers

Help with iptables

Hi, I just build a Linux server, I said yes to enable the firewall. I only choose SSH conneciton. When I check the iptables. I see all of this (see below). I want to reject every thing only allow SSH from subnet 192.168.1.xx. Can you advise, how to do. Chain RH-Firewall-1-INPUT (2... (2 Replies)
Discussion started by: samnyc
2 Replies

5. UNIX for Dummies Questions & Answers

help with iptables

Hi, On the IPTABLES, I did iptables --flush. I want to start fresh. Now I only want two things. Allow one ip address to this server. Allow port 443 as incoming from every where. Please advice how to do this. This is what I did so for. iptables -I INPUT -i eth0 -s 1.2.3.4 -j ACCEPT... (5 Replies)
Discussion started by: samnyc
5 Replies

6. IP Networking

iptables changes

Hello We have one linux machine in the office which happens to be an important firewall. I just know the basics and need to make one change Essentially it is forward mysql traffic to another internal machine. This is the original rule (forward to 192.20.0.17) which is working ... (0 Replies)
Discussion started by: rina5392
0 Replies

7. IP Networking

Iptables

What should be the iptables rule so that only the subnet 64.61.11.224/255.255.255.248 may access the mysql port 3306 (1 Reply)
Discussion started by: proactiveaditya
1 Replies

8. IP Networking

Iptables

Thanks in advance I have to remove ip_tables_name from /proc/net/... i was trying to do so and getting the following error cmd : rm ip_tables_names error : rm: remove regular empty file `ip_tables_names'? y rm: cannot remove `ip_tables_names': Operation not permitted (4 Replies)
Discussion started by: sudeepiit
4 Replies

9. IP Networking

Need help with iptables

Trying to create a whitelist to limit bandwidth. My sync speed is 1536/256 kbps. Simple rules in order: 1. Do not limit (or set to 1536/256) MAC 00:00:00:00:00 (computer is in 192.168.1.0/24). 2. Do not limit (or set to 1536/256) MAC 00:00:00:00:01 (computer is in 192.168.1.0/24). 3. Do not... (1 Reply)
Discussion started by: kripz
1 Replies

10. IP Networking

IPtables

Hey guys, I have just started using IP tables and was wondering if anyone could direct me to any good online resources as I am totally new to this. Thanks. (1 Reply)
Discussion started by: 182x
1 Replies

Featured Tech Videos