VPS通过iptables设置只允许cloudflare的IP访问-开心VPS测评

很多使用国外VPS的朋友都使用过cloudflare，可以防止坏人来捣乱，可是有些时候还是会被扫到站源IP，今天给大家分享一下如何设置iptables来实现你的VPS只允许cloudflare的IP访问。

参考官方教程：

https://developers.cloudflare.com/fundamentals/get-started/setup/allow-cloudflare-ip-addresses/

首先确认你已经安装iptables和ip6tables

创建一个链

[crayon-679bc95aba12f525440981  ]iptables -N CLOUDFLARE
ip6tables -N CLOUDFLARE

1 2	[crayon-679bc95aba12f525440981 ]iptables -N CLOUDFLARE ip6tables -N CLOUDFLARE

[/crayon]
让INPUT引用

[crayon-679bc95aba132920059860  ]iptables -A INPUT -j CLOUDFLARE
ip6tables -A INPUT -j CLOUDFLARE

1 2	[crayon-679bc95aba132920059860 ]iptables -A INPUT -j CLOUDFLARE ip6tables -A INPUT -j CLOUDFLARE

[/crayon]
然后把CF的IP加进链里

[crayon-679bc95aba134566332276  ]for ip in `curl -s https://www.cloudflare.com/ips-v4`;do
iptables  -A CLOUDFLARE -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
done
for ip in `curl -s https://www.cloudflare.com/ips-v6`;do
ip6tables  -A CLOUDFLARE -p tcp -m multiport --dports http,https -s $ip -j ACCEPT
done

[crayon-679bc95aba134566332276 ]for ip in `curl -s https://www.cloudflare.com/ips-v4`;do

iptables -A CLOUDFLARE -p tcp -m multiport --dports http,https -s $ip -j ACCEPT

done

for ip in `curl -s https://www.cloudflare.com/ips-v6`;do

ip6tables -A CLOUDFLARE -p tcp -m multiport --dports http,https -s $ip -j ACCEPT

done

[/crayon]
不允许其他IP访问

[crayon-679bc95aba137519069677  ]iptables -A INPUT -p tcp -m multiport --dport http,https -j DROP
ip6tables -A INPUT -p tcp -m multiport --dport http,https -j DROP

1 2	[crayon-679bc95aba137519069677 ]iptables -A INPUT -p tcp -m multiport --dport http,https -j DROP ip6tables -A INPUT -p tcp -m multiport --dport http,https -j DROP

[/crayon]
搞过一次之后，也就是定时执行的脚本如下
清空链，然后重新加一遍IP
以下保存为脚本，定时执行即可

[crayon-679bc95aba139266483639  ]#先删掉"不允许所有"，避免在下面命令执行期间GG
iptables -D INPUT -p tcp -m multiport --dport http,https -j DROP
ip6tables -D INPUT -p tcp -m multiport --dport http,https -j DROP
#清除规则(旧的CF IP)
iptables -F CLOUDFLARE
ip6tables -F CLOUDFLARE
#添加CF IP，下面可以对curl的结果做一次判断，可以避免网络问题可能出现的问题，自己写
for ip in `curl -s https://www.cloudflare.com/ips-v4`;do
iptables -A CLOUDFLARE -s $i -j ACCEPT
done
for ip in `curl -s https://www.cloudflare.com/ips-v6`;do
ip6tables -A CLOUDFLARE -s $i -j ACCEPT
done
mkdir -p /etc/iptables/
iptables-save &gt; /etc/iptables/rules.v4
ip6tables-save &gt; /etc/iptables/rules.v6
#禁用其他IP
iptables -A INPUT -p tcp -m multiport --dport http,https -j DROP
ip6tables -A INPUT -p tcp -m multiport --dport http,https -j DROP

[crayon-679bc95aba139266483639 ]#先删掉"不允许所有"，避免在下面命令执行期间GG

iptables -D INPUT -p tcp -m multiport --dport http,https -j DROP

ip6tables -D INPUT -p tcp -m multiport --dport http,https -j DROP

#清除规则(旧的CF IP)

iptables -F CLOUDFLARE

ip6tables -F CLOUDFLARE

#添加CF IP，下面可以对curl的结果做一次判断，可以避免网络问题可能出现的问题，自己写

for ip in `curl -s https://www.cloudflare.com/ips-v4`;do

iptables -A CLOUDFLARE -s $i -j ACCEPT

done

for ip in `curl -s https://www.cloudflare.com/ips-v6`;do

ip6tables -A CLOUDFLARE -s $i -j ACCEPT

done

mkdir -p /etc/iptables/

iptables-save > /etc/iptables/rules.v4

ip6tables-save > /etc/iptables/rules.v6

#禁用其他IP

iptables -A INPUT -p tcp -m multiport --dport http,https -j DROP

ip6tables -A INPUT -p tcp -m multiport --dport http,https -j DROP

[/crayon]
不想用了，清空上面设置过的规则

[crayon-679bc95aba13c072040647  ]iptables -F CLOUDFLARE
ip6tables -F CLOUDFLARE
iptables -D INPUT -j CLOUDFLARE
ip6tables -D INPUT -j CLOUDFLARE
iptables -X CLOUDFLARE
ip6tables -X CLOUDFLARE
iptables -D INPUT -p tcp --dport http,https -j DROP
ip6tables -D INPUT -p tcp --dport http,https -j DROP
&gt; /etc/iptables/rules.v4
&gt; /etc/iptables/rules.v6

[crayon-679bc95aba13c072040647 ]iptables -F CLOUDFLARE

ip6tables -F CLOUDFLARE

iptables -D INPUT -j CLOUDFLARE

ip6tables -D INPUT -j CLOUDFLARE

iptables -X CLOUDFLARE

ip6tables -X CLOUDFLARE

iptables -D INPUT -p tcp --dport http,https -j DROP

ip6tables -D INPUT -p tcp --dport http,https -j DROP

> /etc/iptables/rules.v4

> /etc/iptables/rules.v6

[/crayon]
补上iptables规则持久化的设置，以免重启后就无了

[crayon-679bc95aba13e844563197  ]#保存规则
mkdir -p /etc/iptables/
iptables-save &gt; /etc/iptables/rules.v4
ip6tables-save &gt; /etc/iptables/rules.v6

[crayon-679bc95aba13e844563197 ]#保存规则

mkdir -p /etc/iptables/

iptables-save > /etc/iptables/rules.v4

ip6tables-save > /etc/iptables/rules.v6

[/crayon]

[crayon-679bc95aba141949424885  ]#引用规则
iptables-restore &lt; /etc/iptables/rules.v4
ip6tables-restore &lt; /etc/iptables/rules.v6

[crayon-679bc95aba141949424885 ]#引用规则

iptables-restore < /etc/iptables/rules.v4

ip6tables-restore < /etc/iptables/rules.v6

[/crayon]
以上保存规则设置到关机执行的命令(也可以不用)，引用规则设置到开机执行的命令。或者网卡关闭和启动。
还有，上面整完新的CF IP后要保存一下规则(我已经写上去了)

转载请注明：开心VPS测评 » VPS通过iptables设置只允许cloudflare的IP访问

VPS通过iptables设置只允许cloudflare的IP访问

相关推荐

最稳CN2 GIA

品牌推荐

热门标签