Hello everybody,
I set an IPTables rules to block SYN, Spams, Floods,.. and I added cloudflare IPs (IP4v) into a whitelist, I always wonder the website generate a 522 Error, when I unblock all banned IPs, the website runs safely.
Below are the rules:
#!/bin/sh
# Set to 0
iptables -t filter -F
iptables -t filter -X
# Block all
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
#To block all packets from your own IP
#https://linoxide.com/firewall/block-common-attacks-iptables/
iptables -A INPUT -s MY.SERVER.IP -j DROP
###################################################
# CloudFlare Web Application Firewall / CDN Access
# https://rietta.com/blog/using-iptables-to-require-cloudflare/
###################################################
#
# CloudFlare Network has Access to HTTP (port 80)
#
iptables -A INPUT -s 173.245.48.0/20 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 103.21.244.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 103.22.200.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 103.31.4.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 141.101.64.0/18 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 108.162.192.0/18 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 190.93.240.0/20 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 188.114.96.0/20 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 197.234.240.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 198.41.128.0/17 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 162.158.0.0/15 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 104.16.0.0/12 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 172.64.0.0/13 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 131.0.72.0/22 -p tcp --dport http -j ACCEPT
#
# CloudFlare Network has Access to Encrypted HTTPS (port 443)
#
iptables -A INPUT -s 173.245.48.0/20 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 103.21.244.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 103.22.200.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 103.31.4.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 141.101.64.0/18 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 108.162.192.0/18 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 190.93.240.0/20 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 188.114.96.0/20 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 197.234.240.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 198.41.128.0/17 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 162.158.0.0/15 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 104.16.0.0/12 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 172.64.0.0/13 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 131.0.72.0/22 -p tcp --dport https -j ACCEPT
#To protect against generic ICMP flood attacks
#https://www.sbarjatiya.com/notes_wiki/index.php/Rate_limiting_using_iptables
iptables -A INPUT -p icmp -m limit --limit 60/minute --limit-burst 120 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/minute --limit-burst 2 -j LOG
iptables -A INPUT -p icmp -j DROP
#To control network usage
iptables -A OUTPUT -p tcp -m tcp --dport 80 -m limit --limit 4/second --limit-burst 12 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -m limit --limit 1/minute --limit-burst 1 -j LOG
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j DROP
#For limiting the number of icmp packets
#https://linoxide.com/firewall/block-common-attacks-iptables/
#iptables -A INPUT -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT
#iptables -A INPUT -p tcp -m state --state NEW -j DROP
#https://hakin9.org/syn-flood-attacks-how-to-protect-article/
#These rules limit the rate of SYN requests from one IP to 20 per minute
iptables -A INPUT -p tcp -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
iptables -A INPUT -p tcp -m state --state NEW -m recent --set -j ACCEPT
#https://hakin9.org/syn-flood-attacks-how-to-protect-article/
#Some SYN attacks are easy to filter because they have the same 'unusual' parameters in the TCP header.
#MSS (Maximum Segment Size) maximum size of the segment that a host initiating the connection wants to allow
iptables -t mangle -I PREROUTING -p tcp -m tcp --dport 80 -m state --state NEW -m tcpmss ! --mss 536:65535 -j DROP
# CONN
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Loopback (127.0.0.1)
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
# ICMP (ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
# SSH IN/OUT
iptables -t filter -A INPUT -p tcp --dport 1981 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 1981 -j ACCEPT
# DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
# HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT
# FTP Out
iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 20 -j ACCEPT
# FTP In
# imodprobe ip_conntrack_ftp # ligne facultative avec les serveurs OVH
iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Mail SMTP:25
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
# Mail POP3:110
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
# Mail IMAP:143
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
# Mail POP3S:995
iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT
# Monit
iptables -t filter -A INPUT -p tcp --dport 1983 -j ACCEPT
# Webmin
iptables -t filter -A INPUT -p tcp --dport 8183 -j ACCEPT
# Ajenti
iptables -A INPUT -p udp -m state --state NEW --dport 8000 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW --dport 8000 -j ACCEPT
# Transmission:
iptables -A OUTPUT -p tcp --dport 9091 -j ACCEPT
iptables -A INPUT -p tcp --dport 9091 -j ACCEPT
iptables -A INPUT -p tcp --dport 51413 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 51413 -j ACCEPT
#https://linoxide.com/firewall/block-common-attacks-iptables/
#https://doc.ubuntu-fr.org/iptables
# Drop XMAS and NULL scans.
iptables -A INPUT -p tcp --tcp-flags ALL,FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# Drop broadcated CONN
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP
#Allow Server2 to access MySQL DataBase
#iptables -A INPUT -i eth0 -s MY.SERVER.IP -p tcp --destination-port 3306 -j ACCEPT
# Client mysql / Access to remote MySQL into server1
#iptables -t filter -A INPUT -p tcp --dport 3306 -j ACCEPT
#iptables -t filter -A OUTPUT -p tcp --dport 3306 -j ACCEPT
Thanks in advance