Cloudflare
If you use Cloudflare you will want to update your iptables rules to limit access to only their IP addresses, forcing access to your server to be subjected to Cloudflare security features.
Update your iptables file
Open your rules file sudo nano /etc/iptables/rules.v4 and replace the contents we added in the previous post (03 Ubuntu 20.04 LTS Advanced Security Setup) with the following:
# Generated by iptables-save v1.8.4 on Fri Jul 9 15:13:06 2021 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Accept only Cloudflare IP addresses # See /root/lib for tool to update -A INPUT -s 104.24.0.0/14 -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j ACCEPT -A INPUT -s 104.16.0.0/13 -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j ACCEPT -A INPUT -s 131.0.72.0/22 -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j ACCEPT -A INPUT -s 172.64.0.0/13 -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j ACCEPT -A INPUT -s 162.158.0.0/15 -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j ACCEPT -A INPUT -s 198.41.128.0/17 -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j ACCEPT -A INPUT -s 197.234.240.0/22 -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j ACCEPT -A INPUT -s 188.114.96.0/20 -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j ACCEPT -A INPUT -s 190.93.240.0/20 -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j ACCEPT -A INPUT -s 108.162.192.0/18 -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j ACCEPT -A INPUT -s 141.101.64.0/18 -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j ACCEPT -A INPUT -s 103.31.4.0/22 -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j ACCEPT -A INPUT -s 103.22.200.0/22 -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j ACCEPT -A INPUT -s 103.21.244.0/22 -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j ACCEPT -A INPUT -s 173.245.48.0/20 -p tcp -m multiport --dports 80,443,8080,8443,2052,2053,2082,2083,2086,2087,2095,2096,8880 -j ACCEPT # Drop all web traffic not from Cloudflare -A INPUT -p tcp -m multiport --dports http,https -j DROP # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable # Accept all established inbound connections -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow SSH connections # The -dport number should be the same port number you set in sshd_config -A INPUT -p tcp -m state --state NEW --dport 333 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # Log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j REJECT --reject-with icmp-port-unreachable # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT COMMIT # Completed on Fri Jul 9 15:13:06 2021
NOTE: there must be a blank line after COMMIT at the end of the file.
Now run the following to save the iptables rules you just made so that they load when your server reboots:
sudo iptables-restore < /etc/iptables/rules.v4 sudo systemctl restart iptables
Verify that the rules were saved correctly after restarting the iptables service (above):
sudo iptables -L -nv
Going further you might find the the script I forked from @stokito on GitHub helpful for generating the iptable rules from the Cloudflare API. I used it to create the rules.v4 configuration above. They periodically update their IP addresses, so you should keep an eye out for changes.
2 comments
Comments are closed.