爱站程序员基地- 4行命令,设置80和443只允许CF访问,防止被扫
iptables -I INPUT -p tcp --dport 80 -j DROP
iptables -I INPUT -p tcp --dport 443 -j DROP
curl https://www.cloudflare.com/ips-v4|awk '{print "iptables -I INPUT -s "$0" -p tcp --dport 80 -j ACCEPT"}'|sh
curl https://www.cloudflare.com/ips-v4|awk '{print "iptables -I INPUT -s "$0" -p tcp --dport 443 -j ACCEPT"}'|sh
ipV6
ip6tables -I INPUT -p tcp --dport 80 -j DROP
ip6tables -I INPUT -p tcp --dport 443 -j DROP
curl https://www.cloudflare.com/ips-v6|awk '{print "ip6tables -I INPUT -s "$0" -p tcp --dport 80 -j ACCEPT"}'|sh
curl https://www.cloudflare.com/ips-v6|awk '{print "ip6tables -I INPUT -s "$0" -p tcp --dport 443 -j ACCEPT"}'|sh
firewall版本:
firewall-cmd --permanent --remove-port=80/tcp
firewall-cmd --permanent --remove-port=443/tcp
firewall-cmd --zone=public --remove-port=80/tcp --permanent
firewall-cmd --zone=public --remove-port=443/tcp --permanent
curl https://www.cloudflare.com/ips-v4|awk '{print "firewall-cmd --permanent --add-rich-rule=\"rule family=\"ipv4\" source address=\""$0"\" port protocol=\"tcp\" port=\"80\" accept\""}'|sh
curl https://www.cloudflare.com/ips-v4|awk '{print "firewall-cmd --permanent --add-rich-rule=\"rule family=\"ipv4\" source address=\""$0"\" port protocol=\"tcp\" port=\"443\" accept\""}'|sh
systemctl restart firewalld.service要想改回来 删除把I改成D即可,也可参考:
- https://github.com/drvy/ufw-cloudflare
- https://github.com/kingcc/cloudflare-ips-only
- CloudFlare防火墙规则阻止常见机房的ASN号码
(ip.geoip.asnum in {8075 53667 35916 20473 63949 16276 12876 6939 45102 132203 9009 328608 138915 133929 55799 138607 40065 132839 45753 55933 36352 31898 14618 16509 14061 35908 8100 18013 25820 21887 55158 7489 137443 58879 15169 23959 4785 38001 55720 135300 41378 199524 54600 2914 43959 133752 48024 52341 46844 2497 9370 21859 3223 54574 4637 10026 9299 58073 9312 395954 63023 40676 62904 132513 137577 7684 60068 49981 54994 63018 11691 24940} and http.request.method eq "POST") or (ip.geoip.country in {"PH" "KH" "LA" "MM" "PW" "HK" "TW"} and http.request.method eq "POST") or (ip.geoip.asnum in {139726 134366 140596 136993 139327 134835 133905 133380 133024 140096 134520 139340 139640 138994 137969 63620 137263 136800 134548 63888 207400 45932 63916 9678 135377 131477 62468} and http.request.method eq "POST") or (ip.geoip.asnum in {3462} and http.request.method eq "POST")注解:加了post只能get浏览,不能发帖
- 威胁分数大于或等于5,且不是已知的合法爬虫,会质询;HTTP版本不是 “HTTP/1.2” “HTTP/2” “HTTP/3” “SPDY/3.1” 会质询;请求头不带 Mozilla/ 会质询;
(cf.threat_score ge 5 and not cf.client.bot) or (not http.request.version in {"HTTP/1.2" "HTTP/2" "HTTP/3" "SPDY/3.1"}) or (not http.user_agent contains "Mozilla/")- 容许合法bot爬虫
(cf.client.bot) or (http.user_agent contains "duckduckgo") or (http.user_agent contains "FBexternalhit") or (http.user_agent contains "Feedfetcher-Google") or (http.user_agent contains "LinkedInBot") or (http.user_agent contains "Mediapartners-Google") or (http.user_agent contains "msnbot") or (http.user_agent contains "Slackbot") or (http.user_agent contains "推特Bot") or (http.user_agent contains "ia_archive") or (http.user_agent contains "yahoo")
