创建一个链
iptables -N CLOUDFLARE ip6tables -N CLOUDFLARE
让INPUT引用
iptables -A INPUT -j CLOUDFLARE ip6tables -A INPUT -j CLOUDFLARE
然后把CF的IP加进链里
for ip in `curl -s https://www.cloudflare.com/ips-v4`;do iptables -A CLOUDFLARE -p tcp -m multiport --dports http,https -s $ip -j ACCEPT done for ip in `curl -s https://www.cloudflare.com/ips-v6`;do ip6tables -A CLOUDFLARE -p tcp -m multiport --dports http,https -s $ip -j ACCEPT done
不允许其他IP访问
iptables -A INPUT -p tcp -m multiport --dport http,https -j DROP ip6tables -A INPUT -p tcp -m multiport --dport http,https -j DROP
以下保存为脚本,定时执行即可。
#先删掉"不允许所有",避免在下面命令执行期间GG
iptables -D INPUT -p tcp -m multiport --dport http,https -j DROP ip6tables -D INPUT -p tcp -m multiport --dport http,https -j DROP
#清除规则(旧的CF IP)
iptables -F CLOUDFLARE ip6tables -F CLOUDFLARE #添加CF IP,下面可以对curl的结果做一次判断,可以避免网络问题可能出现的问题,自己写 for ip in `curl -s https://www.cloudflare.com/ips-v4`;do iptables -A CLOUDFLARE -s $i -j ACCEPT done for ip in `curl -s https://www.cloudflare.com/ips-v6`;do ip6tables -A CLOUDFLARE -s $i -j ACCEPT done mkdir -p /etc/iptables/ iptables-save > /etc/iptables/rules.v4 ip6tables-save > /etc/iptables/rules.v6
#禁用其他IP
iptables -A INPUT -p tcp -m multiport --dport http,https -j DROP ip6tables -A INPUT -p tcp -m multiport --dport http,https -j DROP
不想用了,清空上面设置过的规则
iptables -F CLOUDFLARE ip6tables -F CLOUDFLARE iptables -D INPUT -j CLOUDFLARE ip6tables -D INPUT -j CLOUDFLARE iptables -X CLOUDFLARE ip6tables -X CLOUDFLARE iptables -D INPUT -p tcp --dport http,https -j DROP ip6tables -D INPUT -p tcp --dport http,https -j DROP > /etc/iptables/rules.v4 > /etc/iptables/rules.v6
补上iptables规则持久化的设置,以免重启后就无了
#保存规则
mkdir -p /etc/iptables/ iptables-save > /etc/iptables/rules.v4 ip6tables-save > /etc/iptables/rules.v6
#引用规则
iptables-restore < /etc/iptables/rules.v4 ip6tables-restore < /etc/iptables/rules.v6
保存退出设置的开机启动。重启后试试。