iptables with Cloudflare

tatersalad58 asked:

I’m using fail2ban to block web vulnerability scanners. It is working correctly when visiting the site if CloudFlare is bypassed, but a user can still access it if going through it. I have mod_cloudflare installed.

Is it possible to block users with IPtables when using Cloudflare?

Ubuntu Server 12.04 32-bit

Access.log:

112.64.89.231 - - [29/Aug/2012:19:16:01 -0500] "GET /muieblackcat HTTP/1.1" 404 469 "-" "-"

Jail.conf

[apache-probe]

enabled  = true
port     = http,https
filter   = apache-probe
logpath  = /var/log/apache2/access.log
action   = iptables-multiport[name=apache-probe, port="http,https", protocol=tcp]
maxretry = 1
bantime  = 30 # Test

Apache-probe.conf

[Definition]

failregex   = ^<HOST>.*"GET /muieblackcat HTTP/1.1".*
ignoreregex =

My answer:


The reason this isn’t working (and isn’t going to work) is that iptables operates on the IP address of the machine that directly connected to yours. If you’re using CloudFlare, this means you are receiving connections from CloudFlare, not directly from the end users.

Here’s an example, taken from one of my sites on CloudFlare:

::ffff:108.162.221.19 www.yes-www.org - [05/Sep/2012:21:50:50 +0000] "GET / HTTP/1.1" 200 9585 "http://no-www.org/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.8 (KHTML, like Gecko) Chrome/23.0.1251.2 Safari/537.8" "64.244.153.130"

Here we see that the connection was received from 108.162.221.19, one of CloudFlare’s servers. If this were blocked in iptables, then CloudFlare would not be able to reach us (from that address; fortunately they have many others). The connection to CloudFlare actually came from 64.244.153.130, which is what appeared in the X-Forwarded-For and CF-Connecting-IP headers.

Unfortunately in this sort of setup, this means you can’t really use iptables to block visitors. You do have a couple of options, though:

  • Use CloudFlare’s Threat Control panel, as Damon mentioned. This gets painful if you have a lot of IP addresses you want to block, or they change frequently.
  • Block the requests at the application level. Tools such as my own Bad Behavior can accomplish this sort of thing.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.