Open public ports to Cloudflare for Firewalld

open-cloudflare_(firewalld).sh

#!/usr/bin/env bash

# Instructions:
#
# 1) Place this script in the /root/ directory, give it proper permissions.
#    $ sudo chmod +x /root/open-cloudflare.sh
#
# 2) Open the cron job editor
#    $ sudo crontab -e
#
# 3) Add the following to the last line
#    12 0 * * * root /root/open-cloudflare.sh

# Actual script:

# remove all public rules first
IFS=$'\n'
for i in $(sudo firewall-cmd --list-rich-rules --zone=public); do
        echo "removing '$i'"
        sudo firewall-cmd --permanent --zone=public --remove-rich-rule "$i"
done

#echo "reloading..."
#sudo firewall-cmd --reload
#exit 1

# add new rules

# IPv4 HTTP
echo "adding IPv4 HTTP"
for i in $(curl "https://www.cloudflare.com/ips-v4"); do
        echo "adding '$i'"
        sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="'$i'" port port=80 protocol=tcp accept';
done

# IPv4 HTTPS
echo "adding IPv4 HTTPS"
for i in $(curl "https://www.cloudflare.com/ips-v4"); do
        echo "adding '$i'"
        sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="'$i'" port port=443 protocol=tcp accept';
done

# SSH
#firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="myip" port port=22 protocol=tcp accept'
#firewall-cmd --permanent --change-zone=eth0 --zone=public

echo "reloading..."
sudo firewall-cmd --reload

can you make a bash script for removing cloudflare ports too ?

Thanks for your tips. I made a different approach, here is what I did:

$ mkdir /srv/cloudflare
$ cd /srv/cloudflare
$ nano http_ports

80
8080
8880
2052
2082
2086
2095

(save and exit)

$ nano https_ports

443
2053
2083
2087
2096
8443

(save and exit)

$ nano open-cloudflare.sh

# add new rules

# IPv4 HTTP
echo "adding IPv4 HTTP"
for i in $(curl "https://www.cloudflare.com/ips-v4"); do
   input="/srv/cloudflare/http_ports"
   while IFS= read -r line; do
        echo "adding '$i' for http connection on port '$line'"
        sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="'$i'" port port="'$line'" protocol=tcp accept';
done < $input
done

# IPv4 HTTPS
echo "adding IPv4 HTTPS"
for i in $(curl "https://www.cloudflare.com/ips-v4"); do
   input="/srv/cloudflare/https_ports"
   while IFS= read -r line; do
        echo "adding '$i' for https connection on port '$line'"
        sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="'$i'" port port="'$line'" protocol=tcp accept';
done < $input
done

# IPv6 HTTP
echo "adding IPv6 HTTP"
for i in $(curl "https://www.cloudflare.com/ips-v6"); do
   input="/srv/cloudflare/http_ports"
   while IFS= read -r line; do
        echo "adding '$i' for http connection on port '$line'"
        sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv6" source address="'$i'" port port="'$line'" protocol=tcp accept';
done < $input
done

# IPv6 HTTPS
echo "adding IPv6 HTTPS"
for i in $(curl "https://www.cloudflare.com/ips-v6"); do
   input="/srv/cloudflare/https_ports"
   while IFS= read -r line; do
        echo "adding '$i' for https connection on port '$line'"
        sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv6" source address="'$i'" port port="'$line'" protocol=tcp accept';
done < $input
done

echo "reloading..."
sudo firewall-cmd --reload

Instructions:

1. Place this script in the /srv/cloudflare directory, give it proper permissions.
   $ sudo chmod +x /srv/cloudflare/open-cloudflare.sh

2. Open the cron job editor
   $ sudo crontab -e

3. Add the following to the last line
   12 0 * * * root /srv/cloudflare/open-cloudflare.sh

4. $ systemctl restart crond.service

I avoided deleting all ports using script as it could potentially lock me out.
So after running the script I manually removed the unused entries of firewall and only let SSH Port public opened

PS.: Also check if you have any public accessible port using the following command:

sudo firewall-cmd --zone=public --list-ports

If yes, remove one by one:

firewall-cmd --permanent --zone=public --remove-port=PORT/tcp