myVesta

Posted: **Wed Apr 05, 2023 4:53 pm**

This script is modifying the firewall rules on a server using myVesta Control Panel to allow HTTP and HTPS incoming traffic only from Cloudflare IPs.
This is useful when using Cloudflare to protect your website against DDoS attacks (so nobody can flood your site by avoiding CloudFlare, for example, by targeting your server's IP directly).

Here's a step-by-step explanation:

The script searches for a firewall rule (that allows http and https traffic from all IP addresses) in the /usr/local/vesta/data/firewall/rules.conf file and assigns the result to the $rules variable.
It evaluates the content of the $rules variable.
The script suspends the firewall rule by executing the v-suspend-firewall-rule command with found rule number.
Next, the script adds new firewall rules for a list of Cloudflare IP ranges:

It sets the IP range and comment for each Cloudflare IP block (e.g., IP='173.245.48.0/20' COMMENT='CloudFlare_1').
The script calls v-add-firewall-rule command to add a new firewall rule that allows incoming traffic from the specified IP range on ports 80 and 443 using the TCP protocol and adds the corresponding comment.

That way, incoming traffic would be allowed only from Cloudflare IPs for HTTP (port 80) and HTTPS (port 443) services.

Script code:

Code: Select all

rules=$(grep "PORT='80,443' IP='0.0.0.0/0' COMMENT='WEB'" /usr/local/vesta/data/firewall/rules.conf)
eval $rules
/usr/local/vesta/bin/v-suspend-firewall-rule "$RULE"

IP='173.245.48.0/20' COMMENT='CloudFlare_1'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='103.21.244.0/22' COMMENT='CloudFlare_2'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='103.22.200.0/22' COMMENT='CloudFlare_3'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='103.31.4.0/22' COMMENT='CloudFlare_4'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='141.101.64.0/18' COMMENT='CloudFlare_5'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='108.162.192.0/18' COMMENT='CloudFlare_6'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='190.93.240.0/20' COMMENT='CloudFlare_7'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='188.114.96.0/20' COMMENT='CloudFlare_8'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='197.234.240.0/22' COMMENT='CloudFlare_9'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='198.41.128.0/17' COMMENT='CloudFlare_10'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='162.158.0.0/15' COMMENT='CloudFlare_11'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='104.16.0.0/13' COMMENT='CloudFlare_12'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='104.24.0.0/14' COMMENT='CloudFlare_13'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='172.64.0.0/13' COMMENT='CloudFlare_14'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='131.0.72.0/22' COMMENT='CloudFlare_15'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"

Posted: **Sat Jun 24, 2023 7:08 pm**

Is it possible to do the same for UDP but whitelisting certain aspects like vestacp and ssh access?

Posted: **Sat Jun 24, 2023 8:42 pm**

Salazarski wrote: ↑Sat Jun 24, 2023 7:08 pm Is it possible to do the same for UDP but whitelisting certain aspects like vestacp and ssh access?

Yes, the principle for UDP is the same as for TCP.

myVesta

How to allow HTTP and HTTPS traffic coming ONLY from CloudFlare

How to allow HTTP and HTTPS traffic coming ONLY from CloudFlare

Re: How to allow HTTP and HTTPS traffic coming ONLY from CloudFlare

Re: How to allow HTTP and HTTPS traffic coming ONLY from CloudFlare