Skip to content

alosgg/alos-whitelist

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

8 Commits
README.md
README.md
Β 
Β 
whitelist.sh
whitelist.sh
Β 
Β 

Repository files navigation

ALOS IP Whitelist πŸ›‘οΈ

A robust IP whitelisting solution using iptables mangle table to secure your servers and prevent IP address leakage. This script implements early packet filtering at the PREROUTING chain level for enhanced security and performance.

πŸ”‘ Key Features

  • Early packet filtering using mangle table and PREROUTING chain
  • Efficient handling of established connections
  • Whitelist specific IP addresses for HTTP/HTTPS access
  • Support for both IPv4 and IPv6
  • Blocks all other incoming HTTP/HTTPS traffic
  • Prevents IP address leakage
  • Optional packet logging for security monitoring
  • Simple and lightweight implementation

πŸ“‹ Prerequisites

  • Root access to your server
  • iptables installed
  • conntrack module enabled
  • Understanding of firewall rules and netfilter

πŸš€ Installation

  1. Clone the repository:
git clone https://github.com/alosgg/alos-whitelist.git
cd alos-whitelist
  1. Make the script executable:
chmod +x whitelist.sh

πŸ”§ Usage

Run the script with root privileges:

sudo ./whitelist.sh

πŸ“ How It Works

The script operates in three main steps:

  1. Connection Tracking: Allows established connections to maintain functionality

  2. Whitelist Rules: Adds ACCEPT rules for specified IP addresses at the PREROUTING chain

  3. Default Deny Rules: Blocks all other HTTP/HTTPS traffic early in the packet processing pipeline

⚠️ Security Considerations

  • Keep the IP whitelist up to date
  • Regularly audit access logs
  • Maintain backups of your firewall rules
  • Test the rules thoroughly before implementing in production
  • Monitor the logs for dropped packets if logging is enabled

πŸ” Verification

To verify that the rules are properly set:

# Check IPv4 mangle rules
sudo iptables -t mangle -L PREROUTING -n | grep -E "http|https"

# Check connection tracking rules
sudo iptables -t mangle -L PREROUTING -n | grep "RELATED,ESTABLISHED"

⚑ Performance Impact

The impact on server performance is minimized as:

  • Packets are filtered early in the netfilter chain
  • Established connections are handled efficiently
  • Unwanted traffic is dropped before reaching higher levels of processing

πŸ“„ License

This project is licensed under the MIT License and it was inspired by "pixlrs/only-cf".

πŸ” Security

If you discover any security-related issues, please email your security team instead of using the issue tracker.

πŸ’¬ Support

For support, please open an issue in the GitHub repository.

About

This will protect your origin from leaking its ip.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages