Iptables – drop all HTTP(S) traffic but from CloudFlare

blockcloudflareddoshttpiptables

I would like to allow only HTTP(S) traffic coming from CloudFlare. In that way attackers cannot attack the server directly.
I know CloudFlare is not mainly a DDoS mitigator, but I would like to try it either way.

I'm currently only having access to iptables (ipv4 only), but will try to install ip6tables soon. I just need to have this fixed soon. (we're getting (D)DoSed atm.)

I was thinking about something like this:

iptables -I INPUT -s <CloudFlare IP> --dport 80 -j ACCEPT
iptables -I INPUT -s <CloudFlare IP> --dport 443 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j DROP
iptables -I INPUT -p tcp --dport 443 -j DROP

I know that CloudFlare has multiple IPs, but just for an example.

Would this be the right way?

Best Answer

Yes, that would work. You can also use ! to negate like this:

iptables -I INPUT ! -s <cloud_flare ip> -p tcp --dport 80 -j DROP
iptables -I INPUT ! -s <cloud_flare ip> -p tcp --dport 443 -j DROP

Related Solutions

Iptables HTTP Traffic – Iptables Rules to Allow HTTP Traffic to One Domain Only

With IPTables rules, order matters. The rules are added, and applied, in order. Moreover, when adding rules manually they get applied immediately. Thus, in your example, any packets going through the INPUT and OUTPUT chains start getting dropped as soon as the default policy is set. This is also, incidentally, why you received the error message you did. What is happening is this:

The default DROP policy get applied
IPTables receives a hostname as a destination
IPTables attempts a DNS lookup on 'serverfault.com'
The DNS lookup is blocked by the DROP action

While the source/destination options will accept hostnames, it is strongly discouraged. To quote the man page,

Hostnames will be resolved once only, before the rule is submitted to the kernel. Please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea.

Slillibri hit the nail on the head which his answer, you missed the DNS ACCEPT rule. In your case it won't matter, but generally I would set the default policy later on the process. The last thing you want is to be working remotely and allow SSH after turning on a default deny.

Also, depending on your distribution, you should be able to save your firewall rules such that they will be automatically applied at start time.

Knowing all that, and rearranging your script, here is what I would recommend.

# Allow loopback
iptables -I INPUT 1 -i lo -j ACCEPT

# Allow DNS
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

# Now, allow connection to website serverfault.com on port 80
iptables -A OUTPUT -p tcp -d serverfault.com --dport 80 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Drop everything
iptables -P INPUT DROP
iptables -P OUTPUT DROP

IPTables Traffic Quota – Setting Up Traffic Quota on Linux

If you want to apply quota to both incoming and outgoing, you'd do it like this:

-A OUTPUT -p tcp --sport $PORTNUM_1 -g filter_quota_1
-A OUTPUT -p tcp --sport $PORTNUM_2 -g filter_quota_2
<other OUTPUT rules for other users>
-A INPUT  -p tcp --dport $PORTNUM_1 -g filter_quota_1
-A INPUT  -p tcp --dport $PORTNUM_2 -g filter_quota_2
<other INPUT rules>
-A filter_quota_1 -m quota --quota $QUOTA_1 -g chain_where_quota_not_reached
-A filter_quota_1 -g chain_where_quota_is_reached
-A filter_quota_2 -m quota --quota $QUOTA_2 -g chain_where_quota_not_reached
-A filter_quota_2 -g chain_where_quota_is_reached
<other filter_quota_N chains>

When you want to reset quota #N, you'd do iptables -F filter_quota_N and then re-populate filter_quota_N.

Since the rules are mostly similar, you really should consider automation with bash (or other scripting language of your choice)

Best Answer

Related Solutions

Iptables HTTP Traffic – Iptables Rules to Allow HTTP Traffic to One Domain Only

IPTables Traffic Quota – Setting Up Traffic Quota on Linux

Related Topic