Simple CloudFlare Script for Linux security

[Johno]

I have seen more and more retros now using Linux for the operating system for their hotels but have had a lot of people asking about stopping direct access to their website if they display the IP address in their client browser.

I have decided to share this, this is V1 of a simple script I created that will only allow IP addresses from the CloudFlare network to connect to your port 80 & 443

#!/bin/bash
##########################################################################################################################
# Script to block incoming connection to port 80, 443 from all host and allow only from cloudflare IP (both ipv4 and ipv6)
# Created By        : xHosts
##########################################################################################################################
## ----------------------------------
# Define variables
# ----------------------------------
RED='\033[0;41;30m'
GREEN='\033[0;42;30m'
STD='\033[0;0;39m'
YES=[Yy]*
NO=[Nn]*
ALL=[Aa]*
TEMP=/tmp
CURRENT_PATH=`pwd`
TEMPFILE3=`mktemp -p ${TEMP}`
TEMPFILE4=`mktemp -p ${TEMP}`
#Cloudflare ip last updated on December 2020
CLOUDFLARE_IPV4_ARR=("173.245.48.0/20" "103.21.244.0/22" "103.22.200.0/22" "103.31.4.0/22" "141.101.64.0/18" "108.162.192.0/18" "190.93.240.0/20" "188.114.96.0/20" "197.234.240.0/22" "198.41.128.0/17" "162.158.0.0/15" "104.16.0.0/12" "172.64.0.0/13" "131.0.72.0/22")
CLOUDFLARE_IPV6_ARR=("2400:cb00::/32" "2606:4700::/32" "2803:f800::/32" "2405:b500::/32" "2405:8100::/32" "2a06:98c0::/29" "2c0f:f248::/32")
PORT_TO_BLOCK=("80" "443")
DEFAULT_INTERFACE=eth0 #Check Default Interface
IPV4_ENABLE=1
IPV6_ENABLE=1

# ----------------------------------
# Check for needed tools
# ----------------------------------
#Check for iptables
OUTPUT=`command -v iptables`
if [ ! ${OUTPUT} ]
then
    echo -e "${RED}Error: iptables program needed but not exist, please install it.${STD}"
    exit 1   
fi
#Check if ipv6 enabled on this system
if  [ -f /proc/net/if_inet6 ]
then
    #IPv6 enabled, check for ip6tables if exist
    OUTPUT=`command -v ip6tables`
    if [ ! ${OUTPUT} ]
    then
        echo -e "${RED}Warning: ip6tables program not available. If you would like to block ipv6, please install it.${STD}"
        IPV6_ENABLE=0
        pause
    fi
fi
# ------------------------------------
# Check if user have root privilege
# ------------------------------------
if [ ! -w /etc/passwd ]
then
    echo -e "${RED}Error: Please su to root first.${STD}"
    exit 1
fi
# ----------------------------------
# User defined function
# ----------------------------------
pause(){
#pause and wait for enter
  read -p "Press [Enter] key to continue..."
}
# ------------------------------------
# Check if interface exist
# ------------------------------------
INTERFACE=${DEFAULT_INTERFACE}
while true
do
    ip link show | grep ^[1-9] | grep -q ${INTERFACE}
    RETURN=$?
    #0 = exist, 1 = not exist
    if [ ${RETURN} -eq 1 ]
    then
        echo -e "${RED}Error: Interface ${INTERFACE} not found${STD} "
            read -p "Please input interface to block: " INTERFACE
         case "${INTERFACE}"
                     in
                    '')
                 echo -e "${RED}Error: Interface can not be blank${STD} "
            INTERFACE=${DEFAULT_INTERFACE}
                           ;;
                        *)
                         ;;
                   esac
    else
        break
    fi
done
echo -e "${GREEN}Using interface ${INTERFACE}${STD}"
#Generate iptables for ipv4 script block all incoming interface to port as listed
if [ ${IPV4_ENABLE} -eq 1 ]
then
    for i in "${PORT_TO_BLOCK[@]}"
    do
        for j in "${CLOUDFLARE_IPV4_ARR[@]}"
        do
            echo "iptables -A INPUT -i ${INTERFACE} -s ${j} -p tcp --destination-port $i -j ACCEPT" >> ${TEMPFILE3}
        done
    done
    for i in "${PORT_TO_BLOCK[@]}"
    do
        echo "iptables -A INPUT -i ${INTERFACE} -p tcp --destination-port $i -j DROP" >> ${TEMPFILE3}
    done
    #cat ${TEMPFILE3}
fi
#Run iptables for ipv4 script
bash ${TEMPFILE3}
#Generate iptables for ipv6 script block all incoming interface to port as listed
if [ ${IPV6_ENABLE} -eq 1 ]
then
    for i in "${PORT_TO_BLOCK[@]}"
    do
        for j in "${CLOUDFLARE_IPV6_ARR[@]}"
        do
            echo "ip6tables -A INPUT -i ${INTERFACE} -s ${j} -p tcp --destination-port $i -j ACCEPT" >> ${TEMPFILE4}
        done
    done
    for i in "${PORT_TO_BLOCK[@]}"
    do
        echo "ip6tables -A INPUT -i ${INTERFACE} -p tcp --destination-port $i -j DROP" >> ${TEMPFILE4}
    done
    #cat ${TEMPFILE4}
fi
#Run iptables for ipv4 script
bash ${TEMPFILE4}
rm -f ${TEMPFILE3} ${TEMPFILE4}
echo -e "${GREEN}Done.${STD}"

You can either download the file directly or create, copy & paste and execute

Saving File​

wget

You must be registered for see links

chmod +x cloudflare.sh bash cloudflare.sh

-- Job Done

Create file​

Using a SSH text editor such as nano

nano cloudflare.sh

copy and paste the content of

You must be registered for see links

ctrl and x to save

chmod +x cloudflare.sh

bash cloudflare.sh

-- Job Done

 

[Sledmore]

Pretty good share, the only negative thing about this is the array of the IPs - although they don't change all too often it's nice to not have to worry about updating them. Although, this should help a fair few users out I'd imagine.

Personally, I use the below resource for this w/ UFW (default is no port restriction, is an example with 80 and such):

You must be registered for see links

Another resource I use:

You must be registered for see links

The last thing to suggest would be to limit the virtual hosts to a specific domain. I suppose this step doesn't necessarily matter if already limited via Cloudflare.

 

[Johno]

Thanks for the feedback, this is my first version but have thought about adding a second script to run as a cron to download a the list, then every x amount of days run again compare the versions and if changed create the new rules and add them. Still learning when i can about creating little scripts like this.

I am always happy to take constructive feedback to learn from.