iptables - drop all HTTP(S) traffic but from CloudFlare

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Martin on Server Fault See other posts from Server Fault or by Martin
Published on 2012-11-07T10:15:12Z Indexed on 2012/11/07 11:06 UTC
Read the original article Hit count: 236

Filed under:
|
|
|
|

I would like to allow only HTTP(S) traffic coming from CloudFlare. In that way attackers cannot attack the server directly. I know CloudFlare is not mainly a DDoS mitigator, but I would like to try it either way.

I'm currently only having access to iptables (ipv4 only), but will try to install ip6tables soon. I just need to have this fixed soon. (we're getting (D)DoSed atm.)

I was thinking about something like this:

iptables -I INPUT -s <CloudFlare IP> --dport 80 -j ACCEPT
iptables -I INPUT -s <CloudFlare IP> --dport 443 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j DROP
iptables -I INPUT -p tcp --dport 443 -j DROP

I know that CloudFlare has multiple IPs, but just for an example.

Would this be the right way?

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about iptables

Related posts about http

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle