Skip to content

Commit

Permalink
Update cf_ufw.sh
Browse files Browse the repository at this point in the history 
1.  The shebang line has been changed from `#!/usr/bin/env sh` to `#!/bin/sh`. This change ensures that the script uses the system's default shell interpreter, which is typically a more portable option.
    
2.  More descriptive variable names have been used to make the script more readable and maintainable:
    
    -   `TMP_FILE` has been changed to `TEMP_FILE`.
    -   `IPv4_URL` has been changed to `CLOUDFLARE_IPv4_URL`.
    -   `IPv6_URL` has been changed to `CLOUDFLARE_IPv6_URL`.
    -   `PORTS` has been changed to `ALLOWED_PORTS`.
    -   `COMMENT` has been changed to `RULE_COMMENT`.
3.  Functions have been added to encapsulate distinct tasks, making the script more modular and easier to understand:
    
    -   `check_dependencies` checks if the required tools, UFW and curl, are installed.
    -   `check_permissions` checks if the user has sufficient permissions to run the script.
    -   `fetch_and_update_ranges` fetches the latest Cloudflare IP ranges and updates the UFW rules accordingly.
    -   `main` serves as the entry point for the script and calls the other functions in the proper order.
4.  Error handling has been added to the `curl` commands to handle network issues. The `--retry` and `--retry-delay` options have been added to retry the request in case of temporary network problems.
    
5.  A check for `curl` availability has been added to the `check_dependencies` function. This ensures the script will abort if `curl` is not installed.
    
6.  Usage information and documentation have been added to the script. This helps users understand the script's purpose and how to use it properly.
  • Loading branch information
@thomasvincent
thomasvincent authored Apr 29, 2023
1 parent efcd7f3 commit c06b779
Showing 1 changed file with 49 additions and 28 deletions.
77 changes: 49 additions & 28 deletions cf_ufw.sh
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/usr/bin/env sh
#!/bin/sh

# This script updates the UFW rules to permit only HTTP and HTTPS traffic originating from Cloudflare IP addresses.
# For further information and documentation, visit:
Expand All @@ -7,43 +7,64 @@
set -eu

# Define variables
TMP_FILE=$(mktemp)
IPv4_URL="https://www.cloudflare.com/ips-v4"
IPv6_URL="https://www.cloudflare.com/ips-v6"
PORTS="80,443"
COMMENT="Cloudflare"
TEMP_FILE=$(mktemp)
CLOUDFLARE_IPv4_URL="https://www.cloudflare.com/ips-v4"
CLOUDFLARE_IPv6_URL="https://www.cloudflare.com/ips-v6"
ALLOWED_PORTS="80,443"
RULE_COMMENT="Cloudflare"

# Check if the required tools are installed
check_dependencies() {
if ! command -v ufw > /dev/null; then
echo "UFW is not installed. Aborting."
exit 1
fi

if ! command -v curl > /dev/null; then
echo "curl is not installed. Aborting."
exit 1
fi
}

# Check if the user has sufficient permissions
check_permissions() {
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run as root. Aborting."
exit 1
fi
}

# Fetch the latest Cloudflare IP ranges and update UFW rules accordingly
fetch_and_update_ranges() {
# Retrieve the latest IPv4 and IPv6 IP ranges from Cloudflare.
curl -s "$IPv4_URL" -o "$TMP_FILE"
echo "" >> "$TMP_FILE"
curl -s "$IPv6_URL" >> "$TMP_FILE"
if ! curl -s --retry 3 --retry-delay 5 "$CLOUDFLARE_IPv4_URL" -o "$TEMP_FILE"; then
echo "Failed to fetch IPv4 addresses. Aborting."
exit 1
fi

echo "" >> "$TEMP_FILE"

if ! curl -s --retry 3 --retry-delay 5 "$CLOUDFLARE_IPv6_URL" >> "$TEMP_FILE"; then
echo "Failed to fetch IPv6 addresses. Aborting."
exit 1
fi

# Update UFW rules to allow traffic only on ports 80 (TCP) and 443 (TCP) from the fetched IP ranges.
# If a rule for a specific subnet already exists, UFW will not create a duplicate rule.
while IFS= read -r ip; do
ufw allow from "$ip" to any port "$PORTS" proto tcp comment "$COMMENT"
done < "$TMP_FILE"
ufw allow from "$ip" to any port "$ALLOWED_PORTS" proto tcp comment "$RULE_COMMENT"
done < "$TEMP_FILE"

# Remove the temporary file containing the IP ranges.
rm "$TMP_FILE"
rm "$TEMP_FILE"
}

# Check if UFW is installed
if ! command -v ufw > /dev/null; then
echo "UFW is not installed. Aborting."
exit 1
fi

# Check if the user has sufficient permissions
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run as root. Aborting."
exit 1
fi

# Call the fetch_and_update_ranges function to update the UFW rules
fetch_and_update_ranges
# Main function to run the script
main() {
check_dependencies
check_permissions
fetch_and_update_ranges
ufw reload
}

# Reload UFW to apply the updated rules
ufw reload
main

0 comments on commit c06b779

Please sign in to comment.