Allow CloudFlare ip only for discourse app in docker container
1.clear all rules (optional)
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X
2.restart docker (follows step one)
systemctl restart docker
3.delete rule in DOCKER-USER below
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
*** *** RETURN all -- any any anywhere anywhere
you can delete by iptables -D DOCKER-USER <line number of rule>
4.run script (adpated from Allow CloudFlare only · GitHub)
for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I DOCKER-USER -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
iptables -A DOCKER-USER -p tcp -m multiport --dports http,https -j DROP
====
update:
after getting this done, avatars and admin dashboards are broken.
fix:
1.use netstat -i
to check out your NICs
2.the scprit should be modified to
for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I DOCKER-USER -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
iptables -A DOCKER-USER -i <your NIC name> -p tcp -m multiport --dports http,https -j DROP
5.dpkg-reconfigure iptables-persistent
finally, the port scanning result shoud be like this:
Port Number | State | Service Name | Service Product | Service Version | Service Extra Info |
---|---|---|---|---|---|
22 | open | ssh | OpenSSH | ******** | ******* |
79 | filtered | finger | |||
80 | filtered | http | |||
443 | filtered | https | |||
5051 | filtered | ida-agent |