1. 安装 ipset

apt install ipset

2. 新建防火墙组 cf4

ipset create cf4 hash:net

3. 在防火墙内填 Cloudflare的 IPv4 地址

for x in $(curl https://www.cloudflare.com/ips-v4); do ipset add cf4 $x; done

注意 ：curl获得的内容由cloudflare提供。只在你信任它的情况下使用此命令。

4.将规则导入防火墙

iptables -A INPUT -m set --match-set cf4 src -p tcp -m multiport --dports http,https -j ACCEPT

5.封禁其他ip，确保防火墙是白名单

iptables -A INPUT -p tcp -m tcp --dport 80 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 443 -j DROP

iptables-save

6. 经常更新列表，并且把它导入防火墙

ipset destroy cf4

ipset create cf4 hash:net

iptables -A INPUT -m set --match-set cf4 src -p tcp -m
multiport --dports http,https -j ACCEPT

iptables-save

Nginx获取访客真实ip

Edit your nginx.conf file and add the following to your http section:

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;



real_ip_header CF-Connecting-IP;

参考 https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules （如何列出和删除Iptables防火墙规则）
https://danielmiessler.com/blog/whitelisting-cloudflare-iptables/
https://danielmiessler.com/blog/getting-real-ip-addresses-using-cloudflare-nginx-and-varnish/
https://gist.github.com/Manouchehri/cdd4e56db6596e7c3c5a （不太好用）