{"id":2895,"date":"2019-10-23T16:15:45","date_gmt":"2019-10-23T08:15:45","guid":{"rendered":"https:\/\/www.mondoze.com\/guide\/?post_type=kb&p=2895"},"modified":"2022-10-05T08:00:43","modified_gmt":"2022-10-05T00:00:43","slug":"how-do-i-whitelist-cloudflares-ip-addresses-in-iptables","status":"publish","type":"kb","link":"https:\/\/www.mondoze.com\/guide\/kb\/how-do-i-whitelist-cloudflares-ip-addresses-in-iptables","title":{"rendered":"How do I whitelist Cloudflare’s IP addresses in iptables?"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t

How do I whitelist Cloudflare's IP address?<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t
\n\t\t\t\t

Cloudflare’s IP ranges can be add to iptables using the following steps below. This should be done to ensure none of our connections will be drop, which could otherwise result in timeouts and other connectivity issues<\/strong>.\u00a0<\/p>

IPv4:\u00a0<\/strong>For each of the ranges listed here:\u00a0https:\/\/www.cloudflare.com\/ips-v4\u00a0, you’ll need to enter the following command at the terminal, replacing $ip with one of the\u00a0IPs in the list:
iptables -I INPUT -p tcp -m multiport --dports http,https -s \"$ip\" -j ACCEPT<\/code><\/p>

IPv6:<\/strong>\u00a0For each of the ranges listed here:\u00a0https:\/\/www.cloudflare.com\/ips-v6\u00a0, you’ll need to enter the following command at the terminal, replacing $ip with one of the IPs in the list:
ip6tables -I INPUT -p tcp -m multiport --dports http,https -s \"$ip\" -j ACCEPT<\/code><\/p>

An alternative to having a long list of iptables rules for each network range is to use a utility called ipset. If you don’t have this installed on your origin server, you can install it using your package manager.<\/p>

Debian:\u00a0<\/strong>sudo apt-get install ipset<\/p>

Create an ipset set:
ipset create cf hash:net<\/p>

Now populate the set with Cloudflare IP ranges:
for x in $(curl\u00a0https:\/\/www.cloudflare.com\/ips-v4); do ipset add cf $x; done<\/p>

Note:\u00a0<\/strong>The ipset you have create is store in memory and will be gone after reboot by default. Remember to save it and\/or restore it after reboot.<\/p>

You can use the ‘cf’ set now in a iptables rule like so:
iptables -A INPUT -m set –match-set cf src -p tcp -m multiport –dports http,https -j ACCEPT<\/p>

Once you run the iptables commands, you will need to save the iptables rules. The top two commands are use for IPv4 and the bottom two for IPv6.<\/p>

Debian\/Ubuntu:<\/strong>\u00a0iptables-save > \/etc\/iptables\/rules.v4<\/code>
RHEL\/CentOS:<\/strong>\u00a0iptables-save > \/etc\/sysconfig\/iptables<\/code>
Debian\/Ubuntu:<\/strong>\u00a0ip6tables-save > \/etc\/iptables\/rules.v6<\/code>
RHEL\/CentOS:<\/strong>\u00a0ip6tables-save > \/etc\/sysconfig\/ip6tables<\/code><\/p>\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

How do I whitelist Cloudflare’s IP address? Cloudflare’s IP ranges can be add to iptables using the following steps below. This should be done to ensure none of our connections will be drop, which could otherwise result in timeouts and other connectivity issues.\u00a0 IPv4:\u00a0For each of the ranges listed here:\u00a0https:\/\/www.cloudflare.com\/ips-v4\u00a0, you’ll need to enter the …<\/p>\n

How do I whitelist Cloudflare’s IP addresses in iptables?<\/span> Read More \u00bb<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}}},"kbtopic":[53],"kbtag":[110],"mkb_version":[],"_links":{"self":[{"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kb\/2895"}],"collection":[{"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/comments?post=2895"}],"version-history":[{"count":9,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kb\/2895\/revisions"}],"predecessor-version":[{"id":18984,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kb\/2895\/revisions\/18984"}],"wp:attachment":[{"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/media?parent=2895"}],"wp:term":[{"taxonomy":"kbtopic","embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kbtopic?post=2895"},{"taxonomy":"kbtag","embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/kbtag?post=2895"},{"taxonomy":"mkb_version","embeddable":true,"href":"https:\/\/www.mondoze.com\/guide\/wp-json\/wp\/v2\/mkb_version?post=2895"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}