Only allowing traffic from Cloudflare

Question

I am new to Linux System Administration and I am experimenting with iptables trying to learn how to really lock down a system with them. And one thing a friend of mine recommended was that there was a way to pass all incoming traffic through Cloudflare so even if attackers resolved the server ip they still couldn't (D)dos it directly.

This is exactly what they said: "Simply config your servers iptables to only allow incoming connections from CloudFlares IP ranges then set it to allow only your IP/IP range to connect on port 21 (SSH)"

Could someone help me on what command I'd need to run for Ubuntu to get this effect?

21 is FTP while 22 is by default SSH http://blog.cloudflare.com/cloudflare-now-supporting-more-ports — TryTryAgain, Jun 16 '12 at 08:04
Well yes I am aware of the ports, I've actually changed a lot of the defaults, that was posted exactly as he said it though. — Nick, Jun 17 '12 at 14:22

xxdesmus · Answer 1 · 2017-02-07T17:30:30.717

10

--| UPDATE Feb 7, 2017 |-- This remains an advanced setup option -- as you could easily lock yourself out of your server if not done correctly. That being said, if you're comfortable doing so feel free to lock down your origin to only accept Cloudflare IPs to port 80 and port 443. Just make sure you don't accidentally block SSH.

--| OLD COMMENT from 2013 |-- We ACTIVELY discourage this kind of setup for any customer that isn't using the business level of service (at the very least). Only our business and enterprise level plans include the advanced DDoS protection option. The free and pro level plans include basic DDoS protection which mean if an attack negatively impacts other CloudFlare customer's we'll need to route that site off CloudFlare -- and then if you are only allowing traffic from CloudFlare IPs you'd then be blocking all legit traffic to your site.

p.s. I work for CloudFlare.

edited Feb 07 '17 at 17:30

answered Feb 22 '13 at 05:12

xxdesmus

291
2
8

Is this still actively discouraged? https://support.cloudflare.com/hc/en-us/articles/200172906-What-should-I-do-if-I-m-expecting-a-surge-or-spike-in-traffic- doesn't indicate anything about this. – mrP Sep 23 '15 at 22:14
1

@mrP We don't recommend it by default. More technical users can do it though as long as they understand what they are doing (so they don't lock themselves out of their own server). – xxdesmus Sep 23 '15 at 23:09
perhaps this answer should be updated to reflect the current policy? it's one of the top google results when searching for this. – xorinzor Nov 28 '16 at 16:18
@xorinzor point still remains. We don't encourage it for the average user. More advanced users can certainly do it if they'd like to however. – xxdesmus Nov 29 '16 at 23:51

score 4 · Answer 2 · edited May 14 '15 at 14:53

iptables --append INPUT --source 192.0.2.1 --protocol tcp --destination-port 22 --jump ACCEPT
iptables --append INPUT --source 203.0.113.0/24 --jump ACCEPT
iptables --policy INPUT DROP

192.0.2.1 is your IP, for SSH access. 203.0.113.0/24 is CloudFlare's IP range (if there's multiple, you'll probably have to add several rules).

Maybe you can use --in-interface to further specify which rule matches what.

Keep in mind this is a very simple example, just intended to point you in the general direction. Consult man iptables for more. Also, beware of locking yourself out.

score 3 · Answer 3 · edited Mar 12 '18 at 15:27

3

In Addendum to Gnarfoz's reply, this is the list of IP ranges used by cloudflare: https://www.cloudflare.com/ips

edited Mar 12 '18 at 15:27

Xavier

269
3
9

answered Jun 26 '12 at 05:48

Michael Sørensen

179
7

To note -- that's the wrong link. https://www.cloudflare.com/ips is correct. – xxdesmus Dec 16 '14 at 23:37

Only allowing traffic from Cloudflare

3 Answers3