Correct usage of whitelisting cloudflare IPs in iptables

Tyrx asked:

I’m relatively new to using the command line so I’m understandably nervous about fiddling around with IP tables and accidentally doing something wrong which consequently opens up vulnerabilities in the firewall.

So, I thought I would ask here if my command usage was correct before actually trying to add this ip whitelisting rule via ssh.

iptables -I INPUT -p tcp -m multiport --dports http,https -s 204.93.240.0/24  204.93.177.0/24  199.27.128.0/21  173.245.48.0/20  103.22.200.0/22  141.101.64.0/18  108.162.192.0/18  190.93.240.0/20  188.114.96.0/20 -j ACCEPT

Is this usage correct? Not quite sure if it’s possible to add all those IPs at once or if I have to add them manually one by one..

My answer:


Rather than trying to put them all in one line, you should have one line per IP address range. Unfortunately this seems to be what CloudFlare is recommending.

So the complete list would look like:

iptables -A INPUT -p tcp -m multiport --dports http,https -s 204.93.240.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports http,https -s 204.93.177.0/24 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports http,https -s 199.27.128.0/21 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports http,https -s 173.245.48.0/20 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports http,https -s 103.22.200.0/22 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports http,https -s 141.101.64.0/18 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports http,https -s 108.162.192.0/18 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports http,https -s 190.93.240.0/20 -j ACCEPT

ip6tables -A INPUT -p tcp -m multiport --dports http,https -s 2400:cb00::/32 -j ACCEPT
ip6tables -A INPUT -p tcp -m multiport --dports http,https -s 2606:4700::/32 -j ACCEPT

Fortunately they have the lists available as plain text files that you can fetch from time to time and incorporate into a firewall-building script.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.