cloudflare-firewall.conf

#
# Author: Antoine Aflalo
# Source: https://gist.github.com/Belphemur/986ced5abe0aea303707c6df62f2c9c4/
# Referenced from: https://www.aaflalo.me/2017/03/fail2ban-and-cloudflare/
#
# To get your Cloudflare API key: https://www.cloudflare.com/my-account
#

[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart =

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop =

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck =

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionban = /usr/local/sbin/cloudflare-firewall <cfuser> <cftoken> <cfzone> add <ip> "<name> after <failures> failures at <time>"
# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
actionunban = /usr/local/sbin/cloudflare-firewall <cfuser> <cftoken> <cfzone> remove <ip>


[Init]

# Default Cloudflare API token
cftoken = API_KEY

# Default Cloudflare username
cfuser = USER_NAME

# Default Zone
cfzone = ZONE_ID

#Name of ban
name = fail2ban

cloudflare-firewall.sh

#!/bin/bash

# Antoine Aflalo (https://www.aaflalo.me)
# Create a IP ban on CloudFlare.
# Remove a IP ban on CloudFlare.
#
# usage: cloudflare-firewall <cfuser> <cftoken> <cfzoneid> <note>
# <cfuser>      :   You CloudFlare username
# <cftoken>     :   CF API Token in your profile
# <cfzoneid>    :   The ID assigned by CloudFlare to your website
# <note>        :   An optional note to the firewall rule

add() {
    local IP="${1}"; shift
    local NOTE="$@"

    curl -g -X POST "https://api.cloudflare.com/client/v4/zones/${CF_ZONEID}/firewall/access_rules/rules" \
     -H "X-Auth-Email: $CF_USER" \
     -H "X-Auth-Key: $CF_TOKEN" \
     -H "Content-Type: application/json" \
     --data @- << EOF
{"mode":"challenge","configuration":{"target":"ip","value":"$IP"},"notes":"$NOTE"}
EOF
}


remove() {
    local IP="${1}"
    
    local RULE_ID=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/${CF_ZONEID}/firewall/access_rules/rules?configuration_target=ip&configuration_value=${IP}" \
     -H "X-Auth-Email: $CF_USER" \
     -H "X-Auth-Key:  $CF_TOKEN" \
     -H "Content-Type: application/json" | jq ".result|.[]|.id")
     RULE_ID="${RULE_ID%\"}"
     RULE_ID="${RULE_ID#\"}"

     curl -X DELETE "https://api.cloudflare.com/client/v4/zones/${CF_ZONEID}/firewall/access_rules/rules/${RULE_ID}" \
     -H "X-Auth-Email: $CF_USER" \
     -H "X-Auth-Key:  $CF_TOKEN" \
     -H "Content-Type: application/json" \
     --data '{"cascade":"basic"}'
}

CF_USER="$1"; shift
CF_TOKEN="$1"; shift
CF_ZONEID="$1"; shift
HANDLER="$1"; shift
if [[ "${HANDLER}" =~ ^(add|remove)$ ]]; then
  "$HANDLER" "$@"
fi
    

cloudflare-ips

# From https://www.cloudflare.com/ips 2017-01-30
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;

#IPv6
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2c0f:f248::/32;
set_real_ip_from 2a06:98c0::/29;

real_ip_header CF-Connecting-IP;