方法:
1.先清除原有的规则:
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X
2.设置cloudflare的IP为白名单:
# Source:
# https://www.cloudflare.com/ips
# https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-CloudFlare-s-IP-addresses-in-iptables-
for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
# Avoid racking up billing/attacks
# WARNING: If you get attacked and CloudFlare drops you, your site(s) will be unreachable.
iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP
完成之后iptables -L -v
将会是这样:
Chain INPUT (policy ACCEPT 3370 packets, 2459K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any 131.0.72.0/22 anywhere multiport dports http,https
566 84264 ACCEPT tcp -- any any 172.64.0.0/13 anywhere multiport dports http,https
0 0 ACCEPT tcp -- any any 104.16.0.0/12 anywhere multiport dports http,https
2439 241K ACCEPT tcp -- any any 162.158.0.0/15 anywhere multiport dports http,https
0 0 ACCEPT tcp -- any any 198.41.128.0/17 anywhere multiport dports http,https
0 0 ACCEPT tcp -- any any 197.234.240.0/22 anywhere multiport dports http,https
0 0 ACCEPT tcp -- any any 188.114.96.0/20 anywhere multiport dports http,https
0 0 ACCEPT tcp -- any any 190.93.240.0/20 anywhere multiport dports http,https
157 20624 ACCEPT tcp -- any any 108.162.192.0/18 anywhere multiport dports http,https
0 0 ACCEPT tcp -- any any 141.101.64.0/18 anywhere multiport dports http,https
0 0 ACCEPT tcp -- any any 103.31.4.0/22 anywhere multiport dports http,https
33 5482 ACCEPT tcp -- any any 103.22.200.0/22 anywhere multiport dports http,https
0 0 ACCEPT tcp -- any any 103.21.244.0/22 anywhere multiport dports http,https
0 0 ACCEPT tcp -- any any 173.245.48.0/20 anywhere multiport dports http,https
71 4192 DROP tcp -- any any anywhere anywhere multiport dports http,https