The other day I had a somewhat panicked client come to me, worried by threats of DDoS attacks by some rogue user.
In order to reduce the attack vector in case said bad actor made good on their threats, I thought it might not be a terrible idea to disallow all HTTP(S) traffic that doesn’t come from CloudFlare. The client already utilises them for caching and load balancing, and their website claims that they are there to help in such situations.
Conveniently enough, there is a list of CloudFlare’s IP address ranges available online, along with text-only versions.
Combining these lists with a little bit of bash foo, I came up with the following (less than perfect) script, which is currently set to run as a cron task every now and then.
Before getting excited and running this on your own machine, keep in mind it was developed and run on a Debian 8 (Jessie) machine that already has the iptables and iptables-persistent packages installed.
Caveat Empdor: Keep in mind that should either of those text files are un-downloadable things will get weird/broken, and your sites potentially not accessible.