iptables - drop all HTTP(S) traffic but from CloudFlare

Posted by Martin on Server Fault See other posts from Server Fault or by Martin
Published on 2012-11-07T10:15:12Z Indexed on 2012/11/07 11:06 UTC
Read the original article Hit count: 239

Filed under:
|
|
|
|

I would like to allow only HTTP(S) traffic coming from CloudFlare. In that way attackers cannot attack the server directly. I know CloudFlare is not mainly a DDoS mitigator, but I would like to try it either way.

I'm currently only having access to iptables (ipv4 only), but will try to install ip6tables soon. I just need to have this fixed soon. (we're getting (D)DoSed atm.)

I was thinking about something like this:

iptables -I INPUT -s <CloudFlare IP> --dport 80 -j ACCEPT
iptables -I INPUT -s <CloudFlare IP> --dport 443 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j DROP
iptables -I INPUT -p tcp --dport 443 -j DROP

I know that CloudFlare has multiple IPs, but just for an example.

Would this be the right way?

© Server Fault or respective owner

Related posts about iptables

Related posts about http