Skip to content

Instantly share code, notes, and snippets.

@Manouchehri

Manouchehri/cloudflare.sh

Last active Mar 5, 2021
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Allow CloudFlare only
Raw
cloudflare.sh
# Source:
# https://www.cloudflare.com/ips
# https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-CloudFlare-s-IP-addresses-in-iptables-
for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
# Avoid racking up billing/attacks
# WARNING: If you get attacked and CloudFlare drops you, your site(s) will be unreachable.
iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP
@stokito

This comment has been minimized.

Sign in to view
Copy link

@stokito stokito commented May 5, 2019

I adopted the script to OpenWrt https://gist.github.com/stokito/4dcf7d5610e563f3693ce9ff0ce8719d

  1. It uses wget which is always installed in OpenWrt instead of curl
  2. It uses HTTP to get the list of IPs because to wget via https we need to install ca-certs to OpenWrt. This makes this script vulnerable to MiTM attacks but that's ok if you just need to be protected from hackers from internet.
@sinevid

This comment has been minimized.

Sign in to view
Copy link

@sinevid sinevid commented Jun 24, 2020

Great job. works like a charm!
@thyagosiqueira

This comment has been minimized.

Sign in to view
Copy link

@thyagosiqueira thyagosiqueira commented Aug 27, 2020

Congratulations on the solution, I already used the for to block IPs, now the curl. Thanks for sharing.
@thyagosiqueira

This comment has been minimized.

Sign in to view
Copy link

@thyagosiqueira thyagosiqueira commented Aug 27, 2020

@stokito thanks also for the script, I will implement it in my padavan firmware !
@thyagosiqueira

This comment has been minimized.

Sign in to view
Copy link

@thyagosiqueira thyagosiqueira commented Aug 27, 2020

In moments of attack I did not know that Cloudflare was releasing traffic to the server. I would like to appreciate reports.

In their latest post on attacks, they comment on maintaining site protection on free accounts, even large-scale ones: https://blog.cloudflare.com/mitigating-a-754-million-pps-ddos-attack-automatically/
@AlexanderMatveev

This comment has been minimized.

Sign in to view
Copy link

@AlexanderMatveev AlexanderMatveev commented Dec 26, 2020

Maybe use ipset?
@iraqiboy90

This comment has been minimized.

Sign in to view
Copy link

@iraqiboy90 iraqiboy90 commented Mar 5, 2021

How often should this script refresh?
@stokito

This comment has been minimized.

Sign in to view
Copy link

@stokito stokito commented Mar 5, 2021

Here https://www.cloudflare.com/ips/ is said that the list was updated only once in Oct 1, 2020.
But headers says different:

GET https://www.cloudflare.com/ips-v4
date: Fri, 05 Mar 2021 05:00:33 GMT
last-modified: Thu, 04 Mar 2021 22:45:21 GMT
cache-control: public, max-age=31536000
expires: Sat, 05 Mar 2022 05:00:33 GMT

So the file was updated yesterday and it will expire in a year (31536000 seconds).
I guess it's better to refresh it more often like once in three months and you can use wget -N option to minimize load
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment