Allowing only CloudFlare traffic to web server

The other day I had a somewhat panicked client come to me, worried by threats of DDoS attacks by some rogue user. In order to reduce the attack vector in case said bad actor made good on their threats, I thought it might not be a terrible idea to disallow all HTTP(S) traffic that doesn’t come from CloudFlare. The client already utilises them for caching and load balancing, and their website claims that they are there to help in such situations.

Conveniently enough, there is a list of CloudFlare’s IP address ranges available online, along with text-only versions.

Combining these lists with a little bit of bash foo, I came up with the following (less than perfect) script, which is currently set to run as a cron task every now and then.

# Only allow HTTP(s) access from CloudFlare

# Ensure cron task has a sensible PATH

# Add trusted IPv4 addresses here, one per line
# Could do something similar for IPv6 if any of us had one
# Create a new chain called ‘cfX_http’.
iptables -N cf4_http
ip6tables -N cf6_http

iptables -F cf4_http
ip6tables -F cf6_http

# Add *our* trusted IPv4 addresses
for x in $TRUSTED_IPV4; do
  iptables -A cf4_http --src $x -j ACCEPT

# Add the CloudFlare IPv4 Addresses
for x in $(curl; do
  iptables -A cf4_http --src $x -j ACCEPT

# Add the CloudFlare IPv6 Addresses
for x in $(curl; do
  ip6tables -A cf6_http --src $x -j ACCEPT

# Drop connections from any other IP address
iptables  -A cf4_http -j DROP
ip6tables -A cf6_http -j DROP

# Use chain ‘cfX_http’ for packets coming to cfX_http ports
iptables  -I INPUT -m tcp -p tcp --dport 80  -j cf4_http
ip6tables -I INPUT -m tcp -p tcp --dport 80  -j cf6_http
iptables  -I INPUT -m tcp -p tcp --dport 443 -j cf4_http
ip6tables -I INPUT -m tcp -p tcp --dport 443 -j cf6_http

# Persist rules (ie, saved on reboot)
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

Before getting excited and running this on your own machine, keep in mind it was developed and run on a Debian 8 (Jessie) machine that already has the iptables and iptables-persistent packages installed.

Caveat Empdor: Keep in mind that should either of those text files are un-downloadable things will get weird/broken, and your sites potentially not accessible.

Categories: Tech

‹ Previous Post Next Post ›