IPSET (Iptables) is the Bomb! Can we use this on all systems?

I have hit paydirt in some old-timer’s post on Cloudflare, to wit, this:

How do I allowlist Cloudflare’s IP addresses in iptables?

https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-Cloudflare-s-IP-addresses-in-iptables-

*MY QUESTION IS AT THE BOTTOM OF THIS PASTE.

LOCATED MID-WAY down the instructions states this:

An alternative to having a long list of iptables rules for each network range is to use a utility called ipset.

Create an ipset set:
ipset create cf hash:net

Now populate the set with Cloudflare IP ranges:

for x in $(curl https://www.cloudflare.com/ips-v4); do ipset add cf $x; done

You can use the ‘cf’ set now in a iptables rule like so:

iptables -A INPUT -m set --match-set cf src -p tcp -m multiport --dports http,https -j ACCEPT

Once you run the iptables commands, you will need to save the iptables rules. The top two commands are used for IPv4 and the bottom two for IPv6.

Debian/Ubuntu: iptables-save > /etc/iptables/rules.v4
RHEL/CentOS: iptables-save > /etc/sysconfig/iptables
Debian/Ubuntu: ip6tables-save > /etc/iptables/rules.v6
RHEL/CentOS: ip6tables-save > /etc/sysconfig/ip6tables

Note: These rules only apply to your iptables and do not work for any additional firewalls.

!QUESTION!: Since Cloudflare’s ipset worked miracles on my server…can I use this on every computer in my house ??? I only ask because my elderly mom (I’m old too) is having a less than pleasant online experience at times.

Thanks for any input~"

I am not sure what youre trying to achieve?

As long as your elderly mom doesn’t host a website on her home computer which is reachable via Cloudflare, this is not necessary.

Oh you’re right.

Hey do you know why this error would happen?

When I give the command after a reboot, the process doesn’t appear to work as it had formerly.

This is the command:
for x in $(curl https://www.cloud are.com/ips-v4); do ipset add cf $x; done

Now it kicks off this error:
bash: syntax error near unexpected token ‘do’

Thanks if you know what I broke now

Check the URL first

wow it’s a jungle out here…now my site is fixed of that error…but no sooner I’m out of that pan than another hits me in the head …after putting https certificates (pem and key) in my server I find that something fails if I choose full…so I clicked on flexible and went to do a site test and find that with the key and pem i’m now labeled as vulnerable to POODLE AND HEARTBLEED…I don’t recall this prior to the pem and key installation…
The internet mafia is killing me.

The certificate is the same on all modes and even the ciphers shouldn’t change.

What’s the domain?

Thanks…It’s me that’s the problem, I’m sure. The domain is springfield-ohio-post.com
To the best of my retarded abilities I followed the Cloudflare instructions to the T. *(place two documents in the root) so my guess is it’s something else that might be wrong (for instance, after I typed that message on Cloudflare it was realized that port 443 had to be opened in the router…DOH!). But that only created another problem (this time I tested with yandex)…this is a job, for sure. Now I see two other ports open that are 8080(http-proxy) and 8443 (https-alt) which are not opened in the router but somehow I now have 4 ports open using the port scan (whereas the server is only supposed to be accepting 80 and 443). For all I know it could be a fail2ban thing…I notice it appends to my iptables with a f2b-sshd
(I can’t wait to see what that jail looks like "

This topic was automatically closed after 30 days. New replies are no longer allowed.