How to only allow traffic from CloudFlare on your VPS
Welcome to SomethingHost!
In this guide you will learn how to setup a script to add CloudFlare's IPs into a firewall to prevent non-CloudFlare visitors from accessing your server.
Running our server behind CloudFlare is as import as prohibiting people from accessing our server if they get the server IP. If you are new to CloudFlare, go check out our guide on installing CloudFlare to your VPS and secure your applications today!
Warning! This guide will prevent all access to ports 80 and 433 to your server from any source BUT CloudFlare. Make sure to add additional rules if you are planning to connect to the server directly.
Downloading and Installing UFW
UFW as known as Uncomplicated Firewall is an easy to use iptable firewall configurator.
By default UFW should be installed on all Ubuntu operating systems and should also be disabled. We will make sure UFW is installed and updated by running the two following commands
sudo apt update
sudo apt install ufw
That's it! UFW should now be updated and ready to use it.
Setting up the script
The script we've made is going to run the following tasks:
1) Fetch the current CloudFlare operational IPs from CloudFlare's IP tables page (https://cloudflare.com/ips)
2) Import the IPs and create rules in UFW
Run the command sudo nano /root/add_cloudflare_ips_to_ufw.sh this will open the text editor Nano and create a new file named add-cloudflare-ips-to-ufw.sh on our home directory.
If you need the script saved on a different location make sure to update the path before the file name and the execution command too.
Then copy the script below to your clipboard:
#!/bin/sh
cd /tmp
wget https://www.cloudflare.com/ips-v4 -O ips-v4-$$.tmp # Download the IPv4 tables into a temporary file
wget https://www.cloudflare.com/ips-v6 -O ips-v6-$$.tmp # Download the IPv6 tables into a temporary file
# Loop through IPv4 and IPv6 from the temporary files
for CFip in `cat ips-v4-$$.tmp`; do ufw allow from $CFip to any proto tcp port 80,443 comment "CloudFlare IP"; done
for CFip in `cat ips-v6-$$.tmp`; do ufw allow from $CFip to any proto tcp port 80,443 comment "CloudFlare IP"; done
# Remove the temporary files
rm ips-v4-$$.tmp
rm ips-v6-$$.tmp
Paste the script on the open Nano editor by pressing CTRL V.
Now save and exit the Nano editor by pressing CTRL X. If you are asked to save the file, simply tap on the Y button and press ENTER to complete the process.
We need to also make the script exectuble. To do that we will run the command
sudo chmod 744 /root/add_cloudflare_ips_to_ufw.sh
Running the script and setting up UFW
Now that we our script saved, we will run it and setup UFW to activate and protect our server.
sudo /root/add_cloudflare_ips_to_ufw.sh
Your console will now print various information about downloading the temporary files of the IP tables and then the same message of "Rules added" a few times as it confirms the UFW rule has been successfully added.
We will now run the following command, which will add our SSH port to the allowed rules (so we can use our terminal) and also enable UFW and finalize the process.
sudo ufw allow "OpenSSH"
sudo ufw enable
You will be asked if you'd like to continue with the command as it may disrupt existing connection. You can go ahead and type y and hit ENTER.
Remember that you will now not be able to access ports 80 and 443. You can run sudo ufw from 192.168.1.0/255 to any proto tcp port 80,443 to do so. (Make sure to replace 192.168.1.0/255 to whatever local/personal IP you are going to use to connect. Don't forget to remove the rule if it's a public IP!
Please also remember that this is a firewall, you will not able to access any ports to your server unless they are whitelisted on UFW. To add ports to the allowance list you can run ufw allow <Port> To remove a rule you can run ufw remove <rule number or rule argument>.
And that's it!
Ports 80 and 443 are now protected. Users and the world will only be able to access them only if they are connecting through CloudFlare! You can test this out by visiting the IP of your VPS by your browser, the connection will simply hang and show you a ERR_CONNECTION_TIMED_OUT error. However if you visit the VPS through a CloudFlare IP (by using a domain and an A record to your VPS) you will connect just fine.
If you have no applications running to test the results, you can quickly install NGINX (sudo apt install nginx) which comes pre-configured with a webserver listening on port 80 ready to go.
Thank you for checking out this guide!
Updated on: 28/12/2022
Thank you!