Allow CloudFlare ip only for discourse app in docker container

Allow CloudFlare ip only for discourse app in docker container

1.clear all rules (optional)

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X

2.restart docker (follows step one)

systemctl restart docker

3.delete rule in DOCKER-USER below

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
 ***  ***   RETURN     all  --  any    any     anywhere             anywhere

you can delete by iptables -D DOCKER-USER <line number of rule>

4.run script (adpated from Allow CloudFlare only · GitHub)

for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I DOCKER-USER -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done

iptables -A DOCKER-USER -p tcp -m multiport --dports http,https -j DROP

====
update:
after getting this done, avatars and admin dashboards are broken.

fix:

1.use netstat -i to check out your NICs

2.the scprit should be modified to

for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I DOCKER-USER -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done

iptables -A DOCKER-USER -i <your NIC name> -p tcp -m multiport --dports http,https -j DROP

5.dpkg-reconfigure iptables-persistent

finally, the port scanning result shoud be like this:

Port Number State Service Name Service Product Service Version Service Extra Info
22 open ssh OpenSSH ******** *******
79 filtered finger
80 filtered http
443 filtered https
5051 filtered ida-agent