{"id":451,"date":"2021-09-12T02:59:00","date_gmt":"2021-09-12T02:59:00","guid":{"rendered":"https:\/\/262235.xyz\/?p=451"},"modified":"2021-09-12T02:59:00","modified_gmt":"2021-09-12T02:59:00","slug":"451","status":"publish","type":"post","link":"https:\/\/lyvba.com\/index.php\/2021\/09\/12\/451\/","title":{"rendered":"\u5b9e\u8df5&#8211;iptables\u8bbe\u7f6e\u767d\u540d\u5355\u53ea\u5141\u8bb8Cloudflare\u8bbf\u95eeDocker\u5bb9\u5668"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/lyvba.com\/wp-content\/uploads\/2021\/09\/682309706.png\" alt=\"\" title=\"\"><\/p>\n<h2>\u5b9e\u8df5\u64cd\u4f5c\u524d\uff0c\u8bf7\u53c2\u8003\u4e0b\u9762\u6587\u7ae0<\/h2>\n<ul>\n<li><a href=\"https:\/\/www.lyvba.com\/index.php\/tag\/iptables\/\">https:\/\/www.lyvba.com\/index.php\/tag\/iptables\/<\/a><\/li>\n<li><a href=\"https:\/\/support.cloudflare.com\/hc\/zh-cn\/articles\/201897700\">https:\/\/support.cloudflare.com\/hc\/zh-cn\/articles\/201897700<\/a><\/li>\n<\/ul>\n<h2>\u65b9\u6cd51: \u6279\u91cf\u6dfb\u52a0 <code>cloudflare ips-v4<\/code> \u5230 <code>iptables<\/code> \u767d\u540d\u5355<\/h2>\n<pre><code># \u6e05\u7a7a\u6574\u4e2aDOCKER-USER\u7ec4\niptables -F DOCKER-USER\n\n# \u53ea\u5141\u8bb8cloudflare\u4ee3\u7406\u6e90\u7ad9\u5176\u4ed6\u90fdDROP\nfor i in \"curl https:\/\/www.cloudflare.com\/ips-v4\";\n    do iptables -I DOCKER-USER -p tcp -m multiport --dports http,https -s $i -j ACCEPT;\ndone\n\niptables -A DOCKER-USER -p tcp -m multiport --dports http,https -j DROP\niptables -A DOCKER-USER -j RETURN\n\n# \u663e\u793a\u521a\u8bbe\u7f6e\u7684DOCKER-USER\u7ec4\u89c4\u5219\niptables  -nvL   DOCKER-USER<\/code><\/pre>\n<h2>\u65b9\u6cd52: \u4f7f\u7528 <code>ipset<\/code> \u96c6\u5408\u7ba1\u7406\u767d\u540d\u5355\uff0c\u66f4\u52a0\u7075\u6d3b<\/h2>\n<pre><code># \u6e05\u7a7a\u6574\u4e2aDOCKER-USER\u7ec4\niptables -F DOCKER-USER\n\n# \u5141\u8bb8\u767d\u540d\u5355IPSET\u96c6\u8bbf\u95eeDOCKER-USER\u7ec4\uff0c\u5176\u4ed6\u90fd DROP\niptables -I DOCKER-USER -m set --match-set whitelist src -p tcp -j ACCEPT\niptables -A DOCKER-USER -p tcp -m multiport --dports http,https -j DROP\niptables -A DOCKER-USER -j RETURN<\/code><\/pre>\n<ul>\n<li>\n<p>\u9700\u8981\u9884\u5148\u5efa\u7acb <code>whitelist<\/code> \u767d\u540d\u5355\u96c6\u5408<\/p>\n<pre><code>apt install ipset -y                 # \u5148\u5b89\u88c5ipset\u8f6f\u4ef6\n\nipset create whitelist hash:net maxelem 1000000    # \u767d\u540d\u5355\nipset add  whitelist 172.17.0.0\/24   # \u589e\u52a0\u4e00\u6761ip\u6bb5\u8bb0\u5f55\n\nfor i in \"curl https:\/\/www.cloudflare.com\/ips-v4\";\n  do ipset add  whitelist $i ; done\n\nipset list whitelist                 # \u67e5\u770b\u767d\u540d\u5355\nipset destroy whitelist              # \u9500\u6bc1\u767d\u540d\u5355\n\n# \u5176\u4ed6\u547d\u4ee4:  \u6dfb\u52a0\u6d4b\u8bd5IP  \u767d\u540d\u5355\u5141\u8bb8\u591a\u7aef\u53e3  \u9ed1\u540d\u5355\u5168 DROP\niptables -I DOCKER-USER -s \u81ea\u5df1IP\u5730\u5740  -p tcp -m multiport --dport 80,443,8000,9000  -j ACCEPT\niptables -I DOCKER-USER -m set --match-set whitelist src -p tcp -m multiport --dport 80,443,8000,9000 -j ACCEPT\niptables -I DOCKER-USER -m set --match-set blacklist src -p tcp -j DROP<\/code><\/pre>\n<h2>\u6ce8\u610f: <code>ipset<\/code> \u767d\u540d\u5355\u662f\u4fdd\u5b58\u5728\u5185\u5b58\u4e2d\uff0c\u91cd\u542f\u7cfb\u7edf\u540e\u4e22\u5931\uff0c\u4f1a\u5bfc\u81f4 <code>iptables<\/code> \u6062\u590d <code>DOCKER-USER<\/code> \u76f8\u5173\u547d\u4ee4\u65e0\u6548<\/h2>\n<pre><code># \u91cd\u542f\u524d\u5148\u5907\u4efd whitelist \u767d\u540d\u5355\nipset save whitelist -f whitelist.txt\n\n# \u91cd\u542f\u670d\u52a1\u5668\u540e\uff0c\u6267\u884c\u6062\u590d whitelist \u767d\u540d\u5355\nipset restore -f whitelist.txt\n\n# \u91cd\u65b0\u5efa\u7acb DOCKER-USER \u7ec4\u89c4\u5219\niptables -F DOCKER-USER\niptables -I DOCKER-USER -m set --match-set whitelist src -p tcp -j ACCEPT\niptables -A DOCKER-USER -p tcp -m multiport --dports http,https -j DROP\niptables -A DOCKER-USER -j RETURN<\/code><\/pre>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>\u5b9e\u8df5\u64cd\u4f5c\u524d\uff0c\u8bf7\u53c2\u8003\u4e0b\u9762\u6587\u7ae0 https:\/\/www.lyvba.com\/index.php\/tag\/ [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[48,47],"class_list":["post-451","post","type-post","status-publish","format-standard","hentry","category-docker","tag-ipset","tag-iptables"],"_links":{"self":[{"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/posts\/451","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/comments?post=451"}],"version-history":[{"count":0,"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/posts\/451\/revisions"}],"wp:attachment":[{"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/media?parent=451"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/categories?post=451"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lyvba.com\/index.php\/wp-json\/wp\/v2\/tags?post=451"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}