Skip to content

Instantly share code, notes, and snippets.

@Manouchehri

Manouchehri/cloudflare.sh

Last active January 29, 2025 12:31
Show Gist options
  • Save Manouchehri/cdd4e56db6596e7c3c5a to your computer and use it in GitHub Desktop.
Save Manouchehri/cdd4e56db6596e7c3c5a to your computer and use it in GitHub Desktop.
Download ZIP
Allow CloudFlare only
Raw
cloudflare.sh
# Source:
# https://www.cloudflare.com/ips
# https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-CloudFlare-s-IP-addresses-in-iptables-
for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
# Avoid racking up billing/attacks
# WARNING: If you get attacked and CloudFlare drops you, your site(s) will be unreachable.
iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP
# WARNING: This does NOT block Cloudflare's clients from accessing your website over HTTP or HTTPS with a Cloudflare Worker.
@dragonsxslayer
Copy link

can i use this script safely , it's won't look me out of my server right ?

@isaackogan
Copy link

isaackogan commented Apr 15, 2023
edited
Loading 

#! /bin/bash

apt install ufw -y
ufw allow ssh
for i in `curl https://www.cloudflare.com/ips-v4`; do ufw allow from $i to any port http; done
for i in `curl https://www.cloudflare.com/ips-v4`; do ufw allow from $i to any port https; done
for i in `curl https://www.cloudflare.com/ips-v6`; do ufw allow from $i to any port http; done
for i in `curl https://www.cloudflare.com/ips-v6`; do ufw allow from $i to any port https; done

easy way to apply rules on startup

Just adding on that if you want to do this with more ports, you can modify slightly:

#! /bin/bash

for i in `curl https://www.cloudflare.com/ips-v4`; do ufw allow from $i to any port http,https,69420,8443 proto tcp; done
for i in `curl https://www.cloudflare.com/ips-v4`; do ufw allow from $i to any port http,https,69420,8443 proto udp; done

...etc

This becomes more efficient if you want to apply the rules to a ton of ports in different ranges, else you might have 6000000 rules

@dgrzjohn
Copy link

dgrzjohn commented May 6, 2023
edited
Loading

If you are trying to drop connections to docker containers, these rules must be added to the DOCKER-USER chain, or they will not get dropped correctly.
To access the original destination ports of the docker container, the -m conntrack --ctorigdstport is used. --ctdir ORIGINAL is to drop only connections going to the container, not coming back from the container.
Discussion here: https://serverfault.com/questions/704643/steps-for-limiting-outside-connections-to-docker-container-with-iptables

The DROP must be added first, not appended, because the docker automatically appends a RETURN to the end of the chain.

iptables -I DOCKER-USER -p tcp -m conntrack --ctorigdstport http --ctdir ORIGINAL -j DROP

for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I DOCKER-USER -p tcp -m conntrack --ctorigdstport http --ctdir ORIGINAL -s $i -j ACCEPT;done

Repeat for other ports/ipv6. There's probably a better way but its working for me.

@Lalmi-Issam
Copy link

My life saver thx man i was facing DDos Attack on with 20milion request per hour

@Kl4rkx
Copy link

Kl4rkx commented Jan 29, 2025

thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment