-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathupdate_ufw_cloudflare.sh
62 lines (44 loc) · 1.48 KB
/
update_ufw_cloudflare.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#!/bin/bash
# Script for adding CF subnets to ufw (port 443)
# If necessary add to cron
CF_IPV4_URL="https://www.cloudflare.com/ips-v4"
CF_IPV6_URL="https://www.cloudflare.com/ips-v6"
LOG_FILE="/var/log/ufw_cloudflare_update.log"
log_message() {
echo "$(date): $1" | tee -a "$LOG_FILE"
}
if [[ $EUID -ne 0 ]]; then
log_message "This script must be run as root."
exit 1
fi
log_message "Fetching Cloudflare IP ranges..."
CF_IPV4=$(curl -s "$CF_IPV4_URL")
CF_IPV6=$(curl -s "$CF_IPV6_URL")
if [[ -z "$CF_IPV4" || -z "$CF_IPV6" ]]; then
log_message "Failed to retrieve Cloudflare IP ranges."
exit 1
fi
log_message "Removing old Cloudflare UFW rules..."
rule_numbers=$(ufw status numbered | grep 'Cloudflare' | awk '{print $1}' | tr -d '[]')
for rule_number in $(echo "$rule_numbers" | tac); do
if [ -n "$rule_number" ]; then
log_message "Deleting rule number $rule_number"
ufw --force delete "$rule_number"
else
log_message "No valid rule number found."
fi
done
log_message "Adding new Cloudflare UFW rules..."
add_ufw_rules() {
local ips="$1"
local protocol="$2"
while IFS= read -r ip; do
log_message "Allowing $protocol traffic from $ip on port 443 (Cloudflare)"
ufw allow from "$ip" to any port 443 proto tcp comment 'Cloudflare'
done <<< "$ips"
}
add_ufw_rules "$CF_IPV4" "IPv4"
add_ufw_rules "$CF_IPV6" "IPv6"
log_message "Reloading UFW..."
ufw reload
log_message "UFW Cloudflare rules update completed."