How to allow HTTP and HTTPS traffic coming ONLY from CloudFlare

Post Reply
User avatar
isscbta
Team Member
Posts: 129
Joined: Mon Jul 19, 2021 1:41 am
Has thanked: 14 times
Been thanked: 3 times

This script is modifying the firewall rules on a server using myVesta Control Panel to allow HTTP and HTPS incoming traffic only from Cloudflare IPs.
This is useful when using Cloudflare to protect your website against DDoS attacks (so nobody can flood your site by avoiding CloudFlare, for example, by targeting your server's IP directly).

Here's a step-by-step explanation:

The script searches for a firewall rule (that allows http and https traffic from all IP addresses) in the /usr/local/vesta/data/firewall/rules.conf file and assigns the result to the $rules variable.
It evaluates the content of the $rules variable.
The script suspends the firewall rule by executing the v-suspend-firewall-rule command with found rule number.
Next, the script adds new firewall rules for a list of Cloudflare IP ranges:

It sets the IP range and comment for each Cloudflare IP block (e.g., IP='173.245.48.0/20' COMMENT='CloudFlare_1').
The script calls v-add-firewall-rule command to add a new firewall rule that allows incoming traffic from the specified IP range on ports 80 and 443 using the TCP protocol and adds the corresponding comment.

That way, incoming traffic would be allowed only from Cloudflare IPs for HTTP (port 80) and HTTPS (port 443) services.

Script code:

Code: Select all

rules=$(grep "PORT='80,443' IP='0.0.0.0/0' COMMENT='WEB'" /usr/local/vesta/data/firewall/rules.conf)
eval $rules
/usr/local/vesta/bin/v-suspend-firewall-rule "$RULE"

IP='173.245.48.0/20' COMMENT='CloudFlare_1'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='103.21.244.0/22' COMMENT='CloudFlare_2'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='103.22.200.0/22' COMMENT='CloudFlare_3'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='103.31.4.0/22' COMMENT='CloudFlare_4'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='141.101.64.0/18' COMMENT='CloudFlare_5'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='108.162.192.0/18' COMMENT='CloudFlare_6'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='190.93.240.0/20' COMMENT='CloudFlare_7'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='188.114.96.0/20' COMMENT='CloudFlare_8'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='197.234.240.0/22' COMMENT='CloudFlare_9'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='198.41.128.0/17' COMMENT='CloudFlare_10'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='162.158.0.0/15' COMMENT='CloudFlare_11'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='104.16.0.0/13' COMMENT='CloudFlare_12'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='104.24.0.0/14' COMMENT='CloudFlare_13'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='172.64.0.0/13' COMMENT='CloudFlare_14'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"
IP='131.0.72.0/22' COMMENT='CloudFlare_15'
/usr/local/vesta/bin/v-add-firewall-rule 'ACCEPT' "$IP" '80,443' 'TCP' "$COMMENT"

Tags:
Salazarski
Posts: 1
Joined: Sat Jun 24, 2023 7:07 pm

Is it possible to do the same for UDP but whitelisting certain aspects like vestacp and ssh access?
User avatar
myVesta
Site Admin
Posts: 921
Joined: Fri Jun 19, 2020 9:59 am
Has thanked: 8 times
Been thanked: 6 times

Salazarski wrote: Sat Jun 24, 2023 7:08 pm Is it possible to do the same for UDP but whitelisting certain aspects like vestacp and ssh access?
Yes, the principle for UDP is the same as for TCP.
Post Reply