In 03.1 only allow Cloudflare IPs we updated Ubuntu’s
iptables to only allow traffic from Cloudflare IPs on ports:
- http: 80
- http-alt: 8080
- https: 443
- https-alt: 8443
- clearvisn: 2052
- lot105-ds-upd: 2053
- infowave: 2082
- radsec: 2083
- gnunet: 2086
- eli: 2087 (event logging)
- nbx-ser: 2095
- nbx-dir: 2096
- cddbp-alt: 8880
We also then denied http and https access to our server from IPs that are not Cloudflare’s. The advantage to this approach is that it forces all web traffic through Cloudflare, which insures their security features are able to address all the web traffic headed to our server prior to arrival.
What if we could also guarantee that any ssh requests had to also go through Cloudflare? In other words, what if we didn’t accept
ssh requests to the server IP but could force those through Cloudflare as well?
The Cloudflare tutorial is really all you need. Gotcha’s I encountered were pretty small. Essentially, you’ll install
cloudflared on your server. Set it up as a service. Connect it to one of your domains pointed to the server. Then install the client on your local machine. You make an update to your
sshd_config file locally and it is a painless way to run ssh through Cloudflare.