iptables - drop all HTTP(S) traffic but from CloudFlare
Posted
by
Martin
on Server Fault
See other posts from Server Fault
or by Martin
Published on 2012-11-07T10:15:12Z
Indexed on
2012/11/07
11:06 UTC
Read the original article
Hit count: 239
I would like to allow only HTTP(S) traffic coming from CloudFlare. In that way attackers cannot attack the server directly. I know CloudFlare is not mainly a DDoS mitigator, but I would like to try it either way.
I'm currently only having access to iptables (ipv4 only), but will try to install ip6tables soon. I just need to have this fixed soon. (we're getting (D)DoSed atm.)
I was thinking about something like this:
iptables -I INPUT -s <CloudFlare IP> --dport 80 -j ACCEPT
iptables -I INPUT -s <CloudFlare IP> --dport 443 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j DROP
iptables -I INPUT -p tcp --dport 443 -j DROP
I know that CloudFlare has multiple IPs, but just for an example.
Would this be the right way?
© Server Fault or respective owner