Skip to content
/ iptables-whitelist-script Public

Posix script that applies iptables rules to whitelist connections only coming from proxy services like Cloudflare and Stackpath.

2 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ivstiv/iptables-whitelist-script

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
README.md
README.md
 
 
cloudflare.list
cloudflare.list
 
 
stackpath.list
stackpath.list
 
 
whitelist.sh
whitelist.sh
 
 

Repository files navigation

iptables-whitelist-script

A small bash script that can automatically setup a custom iptables chain which accepts connections only from specified ip ranges. The main reason it exists is to manage cloudflare's and stackpath's ip ranges to prevent people from accessing the web server behind the reverse proxy directly by ip. Could be used in case of DDoS attacks or just as a general counter intelligence tool.

Features

  • Automatic creation and removal of iptables rules
  • Self-updating argument for keeping ip ranges up to date for Cloudflare and Stackpath
  • Works with custom files containing line separated ip ranges in CIDR notation
  • Can be used with specific ports

Commands and parameters

Usage: sh whitelist.sh [options]

Options:
    -r,--remove | Removes the whitelist.
    -u,--update | Updates the ip lists files.
    -p,--ports <port1,port2> | Specifies ports delimited by comma, the whitelist to be applied to.
    -l,--list <path> | Specifies a custom ip list file.

A general example:

sh whitelist.sh --list cloudflare.list --ports 80,443

You can even update, remove old and set new rules at once!

sh whitelist.sh -u -r -l cloudflare.list -p 80,443

Requirements and dependencies

  • A system running GNU/Linux
  • iptables
  • curl
  • grep
  • cut

Installation

Just clone this repository and run the script as shown...

IPtables configuration and advice

Please note that if you don't specify ports for the whitelist to be applied to it will be applied to all which would effectively block you from connecting remotely via ssh or ftp!

It might be a good idea to setup a crontab job that updates daily the ipranges in case they change. Here is an example of how you can do that. Just substitute <DIR> with the full path to the directory of the script. This needs to run with root privileges because of iptables!

0  0  *  *  * cd <DIR> && sh whitelist.sh -u -r -l cloudflare.list -p 80

For any additional help consult the documentation of your firewall or check a tutorial on how iptables works. I recommend checking this one out.

Links and additional info

I don't see how this can be further developed but if you have any ideas you are welcome to join my discord and ask for help or give me a heads up for problems with the script. This was developed entirely for personal use but I figured other people might find it useful as well so any feedback is appreciated!

About

Posix script that applies iptables rules to whitelist connections only coming from proxy services like Cloudflare and Stackpath.

Resources

Readme
Activity

Stars

2 stars

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Languages