How to create whitelist on iptables if i use cloudflare?

S

santared2019-09-19 21:30:29

Nginx

santared, 2019-09-19 21:30:29

Hello. I want to make a whitelist at the iptables level, but the site is under cloudflare.
Debian, nginx.
It seems that it turns out to block the user, but there is no way to make a whitelist.

>iptables -F
>iptables -X
>iptables -A INPUT -p tcp --dport 80 -m string --string "CF-Connecting-IP: 1.1.1.1" --algo bm -j DROP
// банит только 1.1.1.1

and if you do whit

>iptables -F
>iptables -X
>iptables -A INPUT -p tcp --dport 80 -j DROP
>iptables -A INPUT -p tcp --dport 80 -m string --string "CF-Connecting-IP: 1.1.1.1" --algo bm -j ACCEPT
//банит всех, пробовал в разном порядке указывать, порты/ипы

What is the problem or is there an easier solution? ban is needed at the server level only for port :80

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

R

Ronald McDonald, 2019-09-19
@Zoominger

Well, that's right, you have the rule "block everything on port 80" before the rest, and they are executed in order, so the following rules are not even checked.

A

Andrey Barbolin, 2019-09-20
@dronmaxman

>iptables -F
>iptables -X
>iptables -A INPUT -p tcp --dport 80 -m string --string "CF-Connecting-IP: 1.1.1.1" --algo bm -j ACCEPT
>iptables -A INPUT - p tcp --dport 80 -j DROP Swap
lines. The prohibition rule should be the last one.

D

Denis Sechin, 2019-09-19
@tamogavk

Think about it, you need to set up IPtables like this: everything that is not allowed is forbidden!

A

Alexey Dmitriev, 2019-09-19
@SignFinder

The -A switch adds the rule to the end of the chain, the -I switch to the beginning. Operate them to add the rule in the right place. If the packet falls under the first rule, it is no longer processed by the rest. Use iptables -nL to view the rules