Setting up IP-Tables for Cloudflare

For emoncms & node-red users using Cloudflare to increase security, it’s recommended that you lock down your system by only allowing traffic from Cloudflare’s servers, to avoid ‘man in the middle’ attacks.

I’ve just done this using UFW (which comes pre-installed in most linux distros - certainly Jessie), and am mentioning it here in case it helps anyone else, especially as it’s so easy to set it up wrongly and lock yourself out of your system.

I am also using a bash script to help initially set up Cloudflares IP’s, and if the script is run say weekly, it will update your IP tables automatically with the latest IP addresses which Cloudflare are using, as they are rapidly expanding and adding new IP’s regularly.
I run the script by using node-red instead of directly through cron, which seems the easiest option.

If you are interested, please check the read-me and script at GitHub - Paul-Reed/cloudflare-ufw: Script to update UFW with Cloudflare IPs

Paul

1 Like

Thanks for sharing, I do the same thing for oem.org and this forum which is served via cloudflare DNS which we use to provide https:

Are you also running a similar IP update script to ensure that new Cloudflare IPs are automatically added? If so, have you any observations about, or suggested improvements to the script that I’m using.

Paul

I Actually I just whitelist cloudflare IP’s rather than blocking all other IP’s.

I just have a file listing all CF IP’s which I update manually. I don’t think they change very often. Would be good to automate though but it’s not as critical for us since even if the IP’s are not whitelisted they will still work just have the possibility of being bandwidth throttled.

Update: just checked there as been no changes in CF server IP’s since May.

1 Like

@Paul - I noticed your script allows the newly acquired IP list but it doesn’t tell ufw to use the new list. I don’t normally set rules by IP so cannot categorically say it applies but certainly when you “allow” a port nothing changes until you restart or reload ufw or reboot.

sudo ufw reload > /dev/null

will silently reload the firewall rules without needing any user confirmation so it can be used in a script.

Thanks Paul.
I did test this when I first started using the script, and found that a reload was not necessary as any IP’s added or removed appear to be effective immediately.
I’ve just tested again in confirmation by removing all of Cloudflare’s IP’s and I immediately lost my un-cached connection. I then ran the script, restoring the IP’s, and my connection was immediately restored - without a reload.
But a reload command is probably good practice and belt & braces, so it’s now added in the git repo.

Thanks again

Paul