Docker container accessible only via Cloudflare CDN (selected ip ranges)
SOLUTION:
iptables -F DOCKER-USER
iptables -I DOCKER-USER -j RETURN
iptables -I DOCKER-USER -p tcp -m multiport --dports http,https -j DROP
for i in `curl -s https://www.cloudflare.com/ips-v4`;\
do iptables -I DOCKER-USER -p tcp -i eth0 -m multiport --dports http,https -s $i -j RETURN;\
done
iptables -I DOCKER-USER -o eth0 -d 0.0.0.0/0 -j ACCEPT
Result of iptables -L
for DOCKER-USER :
ACCEPT all -- anywhere anywhere
RETURN tcp -- <ACCEPTED IPs> anywhere multiport dports http,https
DROP tcp -- anywhere anywhere multiport dports http,https
RETURN all -- anywhere anywhere
Explanation:
First part (ACCEPT
) ACCEPTs outgoing traffic from web server (docker container).
Second part (RETURN
) describes allowed ip adrresses to connect on port 80 or 443.
Third part (DROP
) drop packets of connections on port 80/443, which are NOT listed in RETURN
part.
Fourth part (RETURN
) is default rule in DOCKER-USER chain. It makes possible to handle connections on other ports by the next rules instead of dropping all connections on non 80/443 port (e.g. port 22 - ssh).
This will also drop any packet of docker container running on port 80/tcp but the port of container is not mapped to host. Creating issue similar to docker, iptables and cloudflare
Docker container accessible only via Cloudflare CDN (selected ip ranges)
SOLUTION:
iptables -F DOCKER-USER
iptables -I DOCKER-USER -j RETURN
iptables -I DOCKER-USER -p tcp -m multiport --dports http,https -j DROP
for i in `curl -s https://www.cloudflare.com/ips-v4`;\
do iptables -I DOCKER-USER -p tcp -i eth0 -m multiport --dports http,https -s $i -j RETURN;\
done
iptables -I DOCKER-USER -o eth0 -d 0.0.0.0/0 -j ACCEPT
Result of iptables -L
for DOCKER-USER :
ACCEPT all -- anywhere anywhere
RETURN tcp -- <ACCEPTED IPs> anywhere multiport dports http,https
DROP tcp -- anywhere anywhere multiport dports http,https
RETURN all -- anywhere anywhere
Explanation:
First part (ACCEPT
) ACCEPTs outgoing traffic from web server (docker container).
Second part (RETURN
) describes allowed ip adrresses to connect on port 80 or 443.
Third part (DROP
) drop packets of connections on port 80/443, which are NOT listed in RETURN
part.
Fourth part (RETURN
) is default rule in DOCKER-USER chain. It makes possible to handle connections on other ports by the next rules instead of dropping all connections on non 80/443 port (e.g. port 22 - ssh).
This will also drop any packet of docker container running on port 80/tcp but the port of container is not mapped to host. Creating issue similar to docker, iptables and cloudflare
How to block countries from server when using cloudflare?
CloudFlare allows you to block certain countries from accessing your website at the CloudFlare level. To do so:
- Select your domain in your CloudFlare Control Panel
- Select the "Firewall" tab
- On the "IP Firewall" tab, you can enter a IP, IP range, or Country and click block.
This will block the country from all your websites on the CloudFlare level, before any attack even hits your server.
If you require to block it with your Nginx solution rather than CloudFlare's firewall for whatever reason, you can look at enabling "IP Geolocation" under the "Network" tab of the Control Panel. This adds the header "HTTP_CF_IPCOUNTRY" to all requests, and will contain the Country Code (I.e US, UK, RU) in the header.
If you need to block any requests based off certain IPs, or perform the IP lookup yourself. Then you should use the default CloudFlare header that is included with every request that holds the client's IP named "CF-Connecting-IP".
For future information, CloudFlare has a good article written here on how they handle their headers.
Related Topics
Possibly Undefined MACro: Ac_Prog_Libtool
Xkb: How to Convert a Keycode to Keysym
Loop Over File Names from 'Find'
Linux Iterate Over Files in Directory
Automake Subdir-Objects Is Disabled
What Does It Take to Be Durable on Linux
How to Set Runpath of a Binary
Ksh Storing Result of a Command to a Variable
Permission Issues, Not Able to Run Script as Root
Padding Empty Field in Unix Join Operation
Dlopen Failed: Cannot Open Shared Object File: No Such File or Directory
Xargs Sh -C Skipping the First Argument
How to Reserve Virtual Memory in Linux
Does Using Xvfb to Run Opengl Effects Version
How to Install the Specific Version of Postgres