I want to allow only HTTP(S) requests to my server that comes from cloudflare. I think the best way to do that is to have some script that will run once every day and it's job will be to collect all ip addresses from https://www.cloudflare.com/ips-v4 and https://www.cloudflare.com/ips-v6, and add them to whitelist (If not added already). The only problem is that I don't know to write this script so if anyone can give me some guidelines or link to some tutorial, I would've appriciate it. (U can also write it on your own if you have free time, I don't mind)
My Server Configuration: OpenLiteSpeed, Cyberpanel, AlmaLinux
EDIT
In the meantime I managed (I think) to somehow make it work. I created bash script cloudflare.sh with the following content:
#!/bin/sh
for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP
then, I set up cron job to run it every day at 10 AM.
0 10 * * * /home/cloudflare.sh >/dev/null 2>&1
I have done this with a help of a google so can u just tell me if this script will make duplicates of ip addresses or no when it's executed?
actually , for your goal , here is a simpler solution
the cloudflare request will always contains certain CF headers
e.g.
then you can use one of these headers to create a rewrite rule to 403 the request doesn't have it
e.g.
the first line will check if header
CF-IPCountryexsits and matches for any 2 capital letter , like US, UK , ES, FR ...etc as country codeif not match , then give Forbid flag as 403 response
the setback for this way is the header might be faked
otherwise you may need to go to the "hard" mode to manipulate the OpenLiteSpeed conf file or firewall conf file to add/remove IPs