3

I would like to allow only HTTP(S) traffic coming from CloudFlare. In that way attackers cannot attack the server directly. I know CloudFlare is not mainly a DDoS mitigator, but I would like to try it either way.

I'm currently only having access to iptables (ipv4 only), but will try to install ip6tables soon. I just need to have this fixed soon. (we're getting (D)DoSed atm.)

I was thinking about something like this:

iptables -I INPUT -s <CloudFlare IP> --dport 80 -j ACCEPT
iptables -I INPUT -s <CloudFlare IP> --dport 443 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j DROP
iptables -I INPUT -p tcp --dport 443 -j DROP

I know that CloudFlare has multiple IPs, but just for an example.

Would this be the right way?

Martin
  • 177
  • 2
  • 10

1 Answers1

5

Yes, that would work. You can also use ! to negate like this:

iptables -I INPUT ! -s <cloud_flare ip> -p tcp --dport 80 -j DROP
iptables -I INPUT ! -s <cloud_flare ip> -p tcp --dport 443 -j DROP
miono
  • 536
  • 2
  • 6
  • Ah great, I didn't know about that. Is it also possible to use that with multiple IPs? I need to accept about 10 IP ranges from CloudFlare. – Martin Nov 07 '12 at 10:30
  • From the manpage: Multiple addresses can be specified, but this will expand to multiple rules (when adding with -A), or will cause multiple rules to be deleted (with -D). – miono Nov 07 '12 at 10:31
  • so like: `iptables -I INPUT ! -s -p tcp --dport 80 -j DROP` `iptables -I INPUT ! -s -p tcp --dport 80 -j DROP`? – Martin Nov 07 '12 at 10:33
  • 1
    Sorry, obviously it's not possible to give many addresses when used with !, you'll have to create multiple rules. – miono Nov 07 '12 at 10:38
  • Haha okay, no problem! – Martin Nov 07 '12 at 10:41
  • If you found my answer helpful please mark it as accepted answer, so I can get that sweet reputation :) – miono Nov 07 '12 at 10:44
  • Will do, sorry ;) – Martin Nov 07 '12 at 10:46