If you’re like me and use CloudFlare, you might want to make sure only CloudFlare can access your webserver ports. Doing that will make it substantially harder to DDoS your system, even if the IP address is compromised. Sure, you could drop packets with NGINX or Apache, but the best performance will be by blocking them at the iptables level(aside from blocking them before they hit your server).
Well, I found a script over at rietta.com that gets the list from CloudFlare, and uses iptables to apply them. I made a modified version that makes it easier to have BOTH ipv6 and ipv4 rules. Here’s the script:
#!/bin/bash if [ $(whoami) != "root" ] then echo "Please run as root" exit fi type="4" for i in `curl -s https://www.cloudflare.com/ips-v$type` do if [ $type = "6" ] then iptables="ip6tables" else iptables="iptables" fi $iptables -I INPUT -p tcp -s $i --dport 80 -j ACCEPT $iptables -I INPUT -p tcp -s $i --dport 443 -j ACCEPT done
just copy and paste, and you should be able to run it with
then, change the line
and run it again to apply to ip6tables. You probably should run this after:
iptables -A INPUT -p tcp --dport 80 -j DROP iptables -A INPUT -p tcp --dport 443 -j DROP
to drop all packets not from CloudFlare.
How effective is this?
Well, nothing can block DDoS attacks completely, but this should be close enough. When I DoS my VPS from another VPS, the CPU usually doesn’t jump up that much when packets are blocked by iptables, but when blocked via NGINX, the CPU load skyrockets. So, you should be good against small-ish attacks, but don’t expect to stay up during a 500 Gbps attack. One more thing to note is when blocked via iptables, bandwidth is still being used up, so if the attack is larger than what your internet connection can handle, your CPU usage will stay low, but your site will still be slow, if not completely offline.
Well, I hope this post helped someone, and leave a comment with your DDoS mitigation techniques :)