New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
how to block IP(s) with iptables under cloudflare
I can't no longer block IP(s) from my iptables since I put my website under cloudflare. I can block Ip(s) via their threat page though, but I do have a list of spammer I want to block but it's painful to put in one by one to their threat page. Any idea how to make iptables to block ip(s) again ?
I can see real ip from both nginx access log and error log but can't block them via iptables
Comments
echo "deny $ip/$netmask;" >> /etc/nginx/sites-enabled/blockuser
Does nginx always look in here for blocked users or do you have to set a config option for this to work?
I want to do at iptables, not at nginx. For centos I guess you can deny at /etc/nginx/nginx.conf
echo "deny $ip/$netmask;" >> /etc/nginx/nginx.conf
This needs to be on an application level. You need something like mod_security installed with x_forwarding_for module installed to forward the real IP to mod_security and then block the IP via mod_security.
Blocking IPs directly from cloudflare isn't possible afaik, someone might have to correct me on this.
Read more over HERE.
i talked to cloudflare support and they suggest me to use API instead of input to threat page, at the end their API only allow to import one IP a time... so not helping much.
You simply cant. It needs to be done on an application level, which means Nginx/Apache or whatever web server you're using.
If your list is large perhaps you can contact cloudflare and request a tech add the list in for you? Or if they dont allow that, you can hire a data entry person from oDesk for $2/hr to enter all the addresses manually (last resort) but I do suggest doing it via your web server.
so now I'm blocking with deny at nginx for repeating spamming. There are few more list I want to block but way too long to add semicolon at the end of each line, does anyone know any tool to insert semicolon to the end of each line?
I'd use a macro in notepad++ to add the semicolons. You could also do something fancy with sed:
The /etc/nginx/sites-enabled/ directory is included within the http{} namespace. deny exists within the http{} namespace. It's usually defined in /etc/nginx/nginx.conf . If you're on CentOS, it'd be echo "deny $ip/$netmask;" >> /etc/nginx/conf.d/blocklist.conf (I think... I've not touched CentOS in about 3 months).
I don't have sites-enabled in centos. I created another directory and use "include" to link to that directory.
What's the format of your list?
111.111.111.111 222.222.222.222
Example config: http://cdn.content-network.net/nbl/sfs-30.txt
sed 's/^(.*)$/deny $1;/' input.txt >> /etc/nginx/sites-enabled/blocklist