since 1999

 

3 minutes estimated reading time.

Using IPTABLES to Require CloudFlare for All HTTP/HTTPS Traffic

For some of our clients, Rietta uses CloudFlare.com for its web application firewall and content distribution network (CDN) services. CloudFlare is installed on a domain by changing the domain’s DNS servers to resolve to CloudFlare, which then proceeds to serve as a proxy between the web and the web server running the protected application.

Once this is setup it is expected that all general web traffic will originate from the CloudFlare network, which is the proxy server. CloudFlare helps protect the website then by filtering out threat traffic. It’s a good piece of the defense in depth strategy.

However, this service is of little benefit if potentially malicious traffic can simply bypass the filtering service by directly addresses the web server. The easiest way to stop this is by configuring the iptables firewall to explicitly allow HTTP (port 80) and HTTPS (port 443) traffic from CloudFlare’s network and block it from everywhere else.

  ###################################################
  # CloudFlare Web Application Firewall / CDN Access
  ################################################### 

  #
  # CloudFlare Network has Access to HTTP (port 80)
  #
  iptables -A INPUT -s 204.93.240.0/24 -p tcp --dport http -j ACCEPT
  iptables -A INPUT -s 204.93.177.0/24 -p tcp --dport http -j ACCEPT
  iptables -A INPUT -s 199.27.128.0/21 -p tcp --dport http -j ACCEPT
  iptables -A INPUT -s 173.245.48.0/20 -p tcp --dport http -j ACCEPT
  iptables -A INPUT -s 103.22.200.0/22 -p tcp --dport http -j ACCEPT
  iptables -A INPUT -s 141.101.64.0/18 -p tcp --dport http -j ACCEPT
  iptables -A INPUT -s 108.162.192.0/18 -p tcp --dport http -j ACCEPT
  iptables -A INPUT -s 190.93.240.0/20 -p tcp --dport http -j ACCEPT

  #
  # CloudFlare Network has Access to Encrypted HTTPS (port 443)
  #
  iptables -A INPUT -s 204.93.240.0/24 -p tcp --dport https -j ACCEPT
  iptables -A INPUT -s 204.93.177.0/24 -p tcp --dport https -j ACCEPT
  iptables -A INPUT -s 199.27.128.0/21 -p tcp --dport https -j ACCEPT
  iptables -A INPUT -s 173.245.48.0/20 -p tcp --dport https -j ACCEPT
  iptables -A INPUT -s 103.22.200.0/22 -p tcp --dport https -j ACCEPT
  iptables -A INPUT -s 141.101.64.0/18 -p tcp --dport https -j ACCEPT
  iptables -A INPUT -s 108.162.192.0/18 -p tcp --dport https -j ACCEPT
  iptables -A INPUT -s 190.93.240.0/20 -p tcp --dport https -j ACCEPT

  ######################################################
  # General Access to the Web Server from the World
  ######################################################
  # If we wanted to allow HTTP/HTTPS from anywhere, add this
  #iptables -A INPUT -p tcp --dport http -j ACCEPT
  #iptables -A INPUT -p tcp --dport https -j ACCEPT  

  # If we want to drop all traffic other not permitted already to HTTP and HTTPS
  iptables -A INPUT -p tcp --dport http -j DROP
  iptables -A INPUT -p tcp --dport https -j DROP

Pre-Migration Comments

Niklas Bivald

You can also do a modified version of cloudflares railgunscript:

for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -s $i --dport http -j ACCEPT; done
for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -s $i --dport https -j ACCEPT; done