Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


how to block IP(s) with iptables under cloudflare
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

how to block IP(s) with iptables under cloudflare

namhuynamhuy Member

I can't no longer block IP(s) from my iptables since I put my website under cloudflare. I can block Ip(s) via their threat page though, but I do have a list of spammer I want to block but it's painful to put in one by one to their threat page. Any idea how to make iptables to block ip(s) again ?

I can see real ip from both nginx access log and error log but can't block them via iptables

Comments

  • RalliasRallias Member

    echo "deny $ip/$netmask;" >> /etc/nginx/sites-enabled/blockuser

  • CoreyCorey Member

    @Rallias said:
    echo "deny $ip/$netmask;" >> /etc/nginx/sites-enabled/blockuser

    Does nginx always look in here for blocked users or do you have to set a config option for this to work?

  • namhuynamhuy Member

    I want to do at iptables, not at nginx. For centos I guess you can deny at /etc/nginx/nginx.conf

    echo "deny $ip/$netmask;" >> /etc/nginx/nginx.conf

  • BoxodeBoxode Member

    This needs to be on an application level. You need something like mod_security installed with x_forwarding_for module installed to forward the real IP to mod_security and then block the IP via mod_security.

    Blocking IPs directly from cloudflare isn't possible afaik, someone might have to correct me on this.

    Read more over HERE.

  • namhuynamhuy Member

    i talked to cloudflare support and they suggest me to use API instead of input to threat page, at the end their API only allow to import one IP a time... so not helping much.

  • BoxodeBoxode Member

    namhuy said: I want to do at iptables, not at nginx.

    You simply cant. It needs to be done on an application level, which means Nginx/Apache or whatever web server you're using.

    If your list is large perhaps you can contact cloudflare and request a tech add the list in for you? Or if they dont allow that, you can hire a data entry person from oDesk for $2/hr to enter all the addresses manually (last resort) but I do suggest doing it via your web server.

  • namhuynamhuy Member

    so now I'm blocking with deny at nginx for repeating spamming. There are few more list I want to block but way too long to add semicolon at the end of each line, does anyone know any tool to insert semicolon to the end of each line?

  • ScionScion Member
    edited May 2014

    I'd use a macro in notepad++ to add the semicolons. You could also do something fancy with sed:

    sed 's/$/;/' input.txt > output.txt
    
  • RalliasRallias Member
    edited May 2014

    Corey said: Does nginx always look in here for blocked users or do you have to set a config option for this to work?

    The /etc/nginx/sites-enabled/ directory is included within the http{} namespace. deny exists within the http{} namespace. It's usually defined in /etc/nginx/nginx.conf . If you're on CentOS, it'd be echo "deny $ip/$netmask;" >> /etc/nginx/conf.d/blocklist.conf (I think... I've not touched CentOS in about 3 months).

  • namhuynamhuy Member

    I don't have sites-enabled in centos. I created another directory and use "include" to link to that directory.

  • RalliasRallias Member

    namhuy said: so now I'm blocking with deny at nginx for repeating spamming. There are few more list I want to block but way too long to add semicolon at the end of each line, does anyone know any tool to insert semicolon to the end of each line?

    What's the format of your list?

  • namhuynamhuy Member
    edited May 2014

    111.111.111.111 222.222.222.222

  • RalliasRallias Member

    @namhuy said:
    111.111.111.111 222.222.222.222

    sed 's/^(.*)$/deny $1;/' input.txt >> /etc/nginx/sites-enabled/blocklist

Sign In or Register to comment.