Allow CloudFlare only

cloudflare.sh

# Source:
# https://www.cloudflare.com/ips
# https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-CloudFlare-s-IP-addresses-in-iptables-

for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done

# Avoid racking up billing/attacks
# WARNING: If you get attacked and CloudFlare drops you, your site(s) will be unreachable. 
iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP

I adopted the script to OpenWrt https://gist.github.com/stokito/4dcf7d5610e563f3693ce9ff0ce8719d

1. It uses wget which is always installed in OpenWrt instead of curl
2. It uses HTTP to get the list of IPs because to wget via https we need to install ca-certs to OpenWrt. This makes this script vulnerable to MiTM attacks but that's ok if you just need to be protected from hackers from internet.

Great job. works like a charm!

Congratulations on the solution, I already used the for to block IPs, now the curl. Thanks for sharing.

@stokito thanks also for the script, I will implement it in my padavan firmware !

In moments of attack I did not know that Cloudflare was releasing traffic to the server. I would like to appreciate reports.

In their latest post on attacks, they comment on maintaining site protection on free accounts, even large-scale ones: https://blog.cloudflare.com/mitigating-a-754-million-pps-ddos-attack-automatically/

Maybe use ipset?

How often should this script refresh?

Here https://www.cloudflare.com/ips/ is said that the list was updated only once in Oct 1, 2020.
But headers says different:

GET https://www.cloudflare.com/ips-v4
date: Fri, 05 Mar 2021 05:00:33 GMT
last-modified: Thu, 04 Mar 2021 22:45:21 GMT
cache-control: public, max-age=31536000
expires: Sat, 05 Mar 2022 05:00:33 GMT

So the file was updated yesterday and it will expire in a year (31536000 seconds).
I guess it's better to refresh it more often like once in three months and you can use wget -N option to minimize load

this one helped me massively, thanks a lot

FYI: recently the list of IPs was changed:
Please make the following changes to your allow list by May 7, 2021. This change is safe to make today.

Remove:
104.16.0.0/12

Add:
104.16.0.0/13
104.24.0.0/14

Hi, seems the DROP rules not work for me on Centos 6, after i add them, website is not loading anymore.