Cloudflare是一家提供网站安全管理、性能优化等相关技术的跨国科技企业,Cloudflare可以帮助受保护站点抵御包括分布式拒绝服务攻击(DDoS, Distributed Denial of Service)在内的大多数网络攻击,确保该网站长期在线,阻止网络攻击、垃圾邮件等,同时提升网站的性能、访问速度以改善访客体验。Cloudflare提供用户免费使用,是防御DDos的最佳解决方案之一。
#先删掉"不允许所有",避免在下面命令执行期间GG iptables -D CLOUDFLARE -j DROP ip6tables -D CLOUDFLARE -j DROP
#清除规则(旧的CF IP) iptables -F CLOUDFLARE ip6tables -F CLOUDFLARE #添加CF IP,下面可以对curl的结果做一次判断,可以避免网络问题可能出现的问题,自己写 for ip in `curl https://www.cloudflare.com/ips-v4`; do iptables -A CLOUDFLARE -s $ip -j RETURN; done
for ip in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -A CLOUDFLARE -s $ip -j RETURN; done
root@host2:~# curl -k -v `curl -4 ip.sb` * Trying 你的IP:80... * connect to 你的IP port 80 failed: Connection timed out * Failed to connect to 你的IP port 80: Connection timed out * Closing connection 0 curl: (28) Failed to connect to 你的IP port 80: Connection timed out
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections # The -dport number should be the same port number you set in sshd_config -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d ::1/128 -j REJECT
# Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere (the normal ports for websites and SSL). -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections # The -dport number should be the same port number you set in sshd_config -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT