Cloudflare and iptables

UNIX for Beginners Q & A
1

Hello everybody,

I set an IPTables rules to block SYN, Spams, Floods,.. and I added cloudflare IPs (IP4v) into a whitelist, I always wonder the website generate a 522 Error, when I unblock all banned IPs, the website runs safely.

Below are the rules:

#!/bin/sh

# Set to 0
iptables -t filter -F
iptables -t filter -X

# Block all
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP


#To block all packets from your own IP
#https://linoxide.com/firewall/block-common-attacks-iptables/
iptables -A INPUT -s MY.SERVER.IP -j DROP


###################################################
 # CloudFlare Web Application Firewall / CDN Access
#  https://rietta.com/blog/using-iptables-to-require-cloudflare/
################################################### 

#
# CloudFlare Network has Access to HTTP (port 80)
#
iptables -A INPUT -s 173.245.48.0/20 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 103.21.244.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 103.22.200.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 103.31.4.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 141.101.64.0/18 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 108.162.192.0/18 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 190.93.240.0/20 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 188.114.96.0/20 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 197.234.240.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 198.41.128.0/17 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 162.158.0.0/15 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 104.16.0.0/12 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 172.64.0.0/13 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 131.0.72.0/22 -p tcp --dport http -j ACCEPT

#
# CloudFlare Network has Access to Encrypted HTTPS (port 443)
#
iptables -A INPUT -s 173.245.48.0/20 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 103.21.244.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 103.22.200.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 103.31.4.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 141.101.64.0/18 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 108.162.192.0/18 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 190.93.240.0/20 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 188.114.96.0/20 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 197.234.240.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 198.41.128.0/17 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 162.158.0.0/15 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 104.16.0.0/12 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 172.64.0.0/13 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 131.0.72.0/22 -p tcp --dport https -j ACCEPT


#To protect against generic ICMP flood attacks
#https://www.sbarjatiya.com/notes_wiki/index.php/Rate_limiting_using_iptables
iptables -A INPUT -p icmp -m limit --limit 60/minute --limit-burst 120 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/minute --limit-burst 2 -j LOG
iptables -A INPUT -p icmp -j DROP

#To control network usage
iptables -A OUTPUT -p tcp -m tcp --dport 80 -m limit --limit 4/second --limit-burst 12 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -m limit --limit 1/minute --limit-burst 1 -j LOG
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j DROP

#For limiting the number of icmp packets
#https://linoxide.com/firewall/block-common-attacks-iptables/
#iptables -A INPUT -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT
#iptables -A INPUT -p tcp -m state --state NEW -j DROP


#https://hakin9.org/syn-flood-attacks-how-to-protect-article/
#These rules limit the rate of SYN requests from one IP to 20 per minute
iptables -A INPUT -p tcp -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
iptables -A INPUT -p tcp -m state --state NEW -m recent --set -j ACCEPT

#https://hakin9.org/syn-flood-attacks-how-to-protect-article/
#Some SYN attacks are easy to filter because they have the same 'unusual' parameters in the TCP header.
#MSS (Maximum Segment Size) maximum size of the segment that a host initiating the connection wants to allow
iptables -t mangle -I PREROUTING -p tcp -m tcp --dport 80 -m state --state NEW -m tcpmss ! --mss 536:65535 -j DROP

# CONN
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Loopback (127.0.0.1)
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

# ICMP (ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT

# SSH IN/OUT
iptables -t filter -A INPUT -p tcp --dport 1981 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 1981 -j ACCEPT

# DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT

# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
# HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 8443 -j ACCEPT

# FTP Out
iptables -t filter -A OUTPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 20 -j ACCEPT
# FTP In
# imodprobe ip_conntrack_ftp # ligne facultative avec les serveurs OVH
iptables -t filter -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Mail SMTP:25
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
# Mail POP3:110
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
# Mail IMAP:143
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
# Mail POP3S:995
iptables -t filter -A INPUT -p tcp --dport 995 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 995 -j ACCEPT

# Monit
iptables -t filter -A INPUT -p tcp --dport 1983 -j ACCEPT

# Webmin
iptables -t filter -A INPUT -p tcp --dport 8183 -j ACCEPT

# Ajenti
iptables -A INPUT -p udp -m state --state NEW --dport 8000 -j ACCEPT 
iptables -A INPUT -p tcp -m state --state NEW --dport 8000 -j ACCEPT

# Transmission:
iptables -A OUTPUT -p tcp --dport 9091 -j ACCEPT
iptables -A INPUT -p tcp --dport 9091 -j ACCEPT
iptables -A INPUT -p tcp --dport 51413 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 51413 -j ACCEPT

#https://linoxide.com/firewall/block-common-attacks-iptables/
#https://doc.ubuntu-fr.org/iptables
# Drop XMAS and NULL scans.
iptables -A INPUT -p tcp --tcp-flags ALL,FIN,URG,PSH FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# Drop broadcated CONN
iptables -A INPUT -m pkttype --pkt-type broadcast -j DROP


#Allow Server2 to access MySQL DataBase
#iptables -A INPUT -i eth0 -s MY.SERVER.IP -p tcp --destination-port 3306 -j ACCEPT

# Client mysql / Access to remote MySQL into server1
#iptables -t filter -A INPUT -p tcp --dport 3306 -j ACCEPT
#iptables -t filter -A OUTPUT -p tcp --dport 3306 -j ACCEPT

Thanks in advance

2

Normally,

It is a good idea to start from the top, but the method is up to you:

Comment out all the lines except for the top line, flush iptables, reapply and test.

If it works, uncomment one or more lines and try again.

Repeat until you find the offending line or lines.

4 Likes
3

@Neo: Basically if an IP (range of IP) is whitelisted, it should not be blocked, or may cloudflare are using other IPs than those mentioned in their file