Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Allow CloudFlare only
# Source:
# https://www.cloudflare.com/ips
# https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-CloudFlare-s-IP-addresses-in-iptables-
for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
# Avoid racking up billing/attacks
# WARNING: If you get attacked and CloudFlare drops you, your site(s) will be unreachable.
iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP
@stokito

This comment has been minimized.

Copy link

@stokito stokito commented May 5, 2019

I adopted the script to OpenWrt https://gist.github.com/stokito/4dcf7d5610e563f3693ce9ff0ce8719d

  1. It uses wget which is always installed in OpenWrt instead of curl
  2. It uses HTTP to get the list of IPs because to wget via https we need to install ca-certs to OpenWrt. This makes this script vulnerable to MiTM attacks but that's ok if you just need to be protected from hackers from internet.
@sinevid

This comment has been minimized.

Copy link

@sinevid sinevid commented Jun 24, 2020

Great job. works like a charm!

@thyagosiqueira

This comment has been minimized.

Copy link

@thyagosiqueira thyagosiqueira commented Aug 27, 2020

Congratulations on the solution, I already used the for to block IPs, now the curl. Thanks for sharing.

@thyagosiqueira

This comment has been minimized.

Copy link

@thyagosiqueira thyagosiqueira commented Aug 27, 2020

@stokito thanks also for the script, I will implement it in my padavan firmware !

@thyagosiqueira

This comment has been minimized.

Copy link

@thyagosiqueira thyagosiqueira commented Aug 27, 2020

In moments of attack I did not know that Cloudflare was releasing traffic to the server. I would like to appreciate reports.

In their latest post on attacks, they comment on maintaining site protection on free accounts, even large-scale ones: https://blog.cloudflare.com/mitigating-a-754-million-pps-ddos-attack-automatically/

@AlexanderMatveev

This comment has been minimized.

Copy link

@AlexanderMatveev AlexanderMatveev commented Dec 26, 2020

Maybe use ipset?

@iraqiboy90

This comment has been minimized.

Copy link

@iraqiboy90 iraqiboy90 commented Mar 5, 2021

How often should this script refresh?

@stokito

This comment has been minimized.

Copy link

@stokito stokito commented Mar 5, 2021

Here https://www.cloudflare.com/ips/ is said that the list was updated only once in Oct 1, 2020.
But headers says different:

GET https://www.cloudflare.com/ips-v4
date: Fri, 05 Mar 2021 05:00:33 GMT
last-modified: Thu, 04 Mar 2021 22:45:21 GMT
cache-control: public, max-age=31536000
expires: Sat, 05 Mar 2022 05:00:33 GMT

So the file was updated yesterday and it will expire in a year (31536000 seconds).
I guess it's better to refresh it more often like once in three months and you can use wget -N option to minimize load

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment