#!/bin/bash
# Restrict web ports to Cloudflare IPs only
# Prevents direct-to-origin attacks bypassing Cloudflare WAF

# Flush existing CF rules
iptables -D INPUT -p tcp --dport 80 -j CF_ONLY_HTTP 2>/dev/null
iptables -D INPUT -p tcp --dport 443 -j CF_ONLY_HTTPS 2>/dev/null
iptables -F CF_ONLY_HTTP 2>/dev/null
iptables -F CF_ONLY_HTTPS 2>/dev/null
iptables -X CF_ONLY_HTTP 2>/dev/null
iptables -X CF_ONLY_HTTPS 2>/dev/null

# Create chains
iptables -N CF_ONLY_HTTP
iptables -N CF_ONLY_HTTPS

# Allow Cloudflare IPv4 ranges
CF_IPS="173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22"

for cidr in $CF_IPS; do
    iptables -A CF_ONLY_HTTP  -s $cidr -j ACCEPT
    iptables -A CF_ONLY_HTTPS -s $cidr -j ACCEPT
done

# Allow server itself (loopback and own IP)
iptables -A CF_ONLY_HTTP  -s 127.0.0.1 -j ACCEPT
iptables -A CF_ONLY_HTTPS -s 127.0.0.1 -j ACCEPT
iptables -A CF_ONLY_HTTP  -s 76.13.114.192 -j ACCEPT
iptables -A CF_ONLY_HTTPS -s 76.13.114.192 -j ACCEPT

# Drop everything else on web ports
iptables -A CF_ONLY_HTTP  -j DROP
iptables -A CF_ONLY_HTTPS -j DROP

# Insert rules at top of INPUT chain (before fail2ban rules)
iptables -I INPUT 1 -p tcp --dport 80  -j CF_ONLY_HTTP
iptables -I INPUT 2 -p tcp --dport 443 -j CF_ONLY_HTTPS

echo "Cloudflare-only lockdown applied: $(date)"
