Allow CloudFlare ip only for discourse app in docker container

mlmmlm_admin · 2021 年2 月 25 日 18:31

mlmmlm_admin · 2021 年2 月 25 日 18:32

1.clear all rules (optional)

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X

mlmmlm_admin · 2021 年2 月 25 日 18:33

2.restart docker (follows step one)

systemctl restart docker

mlmmlm_admin · 2021 年2 月 25 日 18:37

3.delete rule in DOCKER-USER below

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
 ***  ***   RETURN     all  --  any    any     anywhere             anywhere

you can delete by iptables -D DOCKER-USER <line number of rule>

mlmmlm_admin · 2021 年2 月 25 日 18:41

4.run script (adpated from Allow CloudFlare only · GitHub)

for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I DOCKER-USER -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done

iptables -A DOCKER-USER -p tcp -m multiport --dports http,https -j DROP

====
update:
after getting this done, avatars and admin dashboards are broken.

fix:

1.use netstat -i to check out your NICs

2.the scprit should be modified to

for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I DOCKER-USER -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done

iptables -A DOCKER-USER -i <your NIC name> -p tcp -m multiport --dports http,https -j DROP

mlmmlm_admin · 2021 年2 月 25 日 18:43

5.dpkg-reconfigure iptables-persistent

mlmmlm_admin · 2021 年2 月 25 日 18:50

finally, the port scanning result shoud be like this:

Port Number	State	Service Name	Service Product	Service Version	Service Extra Info
22	open	ssh	OpenSSH	********	*******
79	filtered	finger
80	filtered	http
443	filtered	https
5051	filtered	ida-agent