This page looks best with JavaScript enabled

Better protection against DDoS using Cloudflare and Linux firewall

 ·  ☕ 5 min read

If you’re not using Cloudflare yet, maybe you should consider it

Here are all the good reasons why you should use it:

  • It’s free.
    Well the basic version is free, and it’s enough for most people. Really.
  • It can prevent DDoS attacks on your website.
  • You get a free CDN.
    It will speed up all the static files of your website by caching them in the Cloudflare servers: all your .css, .js and images. Even your static html pages if you have any.
    And all of that is automatic: their servers keep your files in a cache as your visitors download them and they will send them directly after that.
  • It gives you a free SSL certificate.
    Although I suppose nowadays most providers also give a letsencrypt certificate for free.

…and the reason why you wouldn’t want to use it:

You’ve decided to go for it?

By now, you should know that when somebody browses your website, it goes through the Cloudflare platform, which gets the files from your server, then serves them back to your visitor.

The public IP of your website points to the Cloudflare servers, and no longer yours. This is a bit safer for you as nobody would know the IP of your servers.

First request:

sequenceDiagram
    participant Client
    participant Cloudflare
    participant Server
    Client->>Cloudflare: GET image.jpg
    Note over Cloudflare: not in cache
    Cloudflare->>Server: GET image.jpg
    Server->>Cloudflare: image.jpg
    Note over Cloudflare: save in cache
    Cloudflare->>Client: image.jpg

Second request:

sequenceDiagram
    participant Client
    participant Cloudflare
    participant Server
    Client->>Cloudflare: GET image.jpg
    Note over Cloudflare: already in cache
    Cloudflare->>Client: image.jpg

But there’s still a risk that an attacker discovers the IP address of your server. And it’s much easier than you think:
if for example your web server sends contact emails, it’s very likely its IP address will end-up somewhere in the email headers.

You should restrict your website to the IP addresses of the Cloudflare servers only.

If your website is hosted on a Linux box, here’s a very quick script you can run on your server to enhance your security.
This script makes use of ufw, which is installed by default on Ubuntu, and should also be available as a native package in most distributions.

Please read the instructions on how to set up ufw if you haven’t done so (Instructions for Debian).
For the following script to work properly, it’s expected your default rule is to deny incoming traffic:

1
2
3
4
5
6
7
8
9
$ sudo ufw status verbose
Status: active
Logging: off
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
[...]

Generating ufw configuration for Cloudflare IPs

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#!/bin/bash

ports="80,443"
ipv4="ips-v4"
ipv6="ips-v6"
installv4="install-v4.sh"
installv6="install-v6.sh"

rm -f $ipv4 $ipv6

echo "Downloading IPv4 addresses..."
curl https://www.cloudflare.com/$ipv4 | sort >$ipv4

echo "Downloading IPv6 addresses..."
curl https://www.cloudflare.com/$ipv6 | sort >$ipv6

echo "#!/bin/sh" > "$installv4"
echo "#!/bin/sh" > "$installv6"

while IFS='' read -r line || [[ -n "$line" ]]; do
    echo "ufw allow from $line to any port $ports proto tcp" >> "$installv4"
done < "$ipv4"

while IFS='' read -r line || [[ -n "$line" ]]; do
    echo "ufw allow from $line to any port $ports proto tcp" >> "$installv6"
done < "$ipv6"

Simply copy and paste this script onto your Linux box, or download it via the link provided, then mark the script as executable and run it:

1
2
3
$ curl -O https://creativeprojects.tech/scripts/cloudflare_ufw_config.sh
$ chmod +x cloudflare_ufw_config.sh
$ ./cloudflare_ufw_config.sh

The script will download two files from Cloudflare: ipv4 and ipv6, which contain the IP addresses of the edge servers that Cloudflare is using to browse your website.

If we only allow these IPs to connect to your website, you’re completely safe against a DDoS on your website (but not a DDoS on ssh or whatever else you’re using on this server).

After running the script you will find it had created two scripts: install-v4.sh and install-v6.sh. Please check the content of these two files, because you shouldn’t trust any script downloaded or generated by a script from the Internet. You can see it contains all the IP addresses of the Cloudflare edge servers to be allowed through the Linux firewall.

Run these two scripts if you use IPv6, or only the first one if you don’t.

1
2
3
$ chmod +x install-v*.sh
$ sudo ./install-v4.sh
$ sudo ./install-v6.sh

And you should see all the IPs allowed for HTTP (tcp 80) and HTTPS (tcp 443):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
$ sudo ufw status

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       ***************
80,443/tcp                 ALLOW       103.21.244.0/22
80,443/tcp                 ALLOW       103.22.200.0/22
80,443/tcp                 ALLOW       103.31.4.0/22
80,443/tcp                 ALLOW       104.16.0.0/12
80,443/tcp                 ALLOW       108.162.192.0/18
80,443/tcp                 ALLOW       131.0.72.0/22
80,443/tcp                 ALLOW       141.101.64.0/18
80,443/tcp                 ALLOW       162.158.0.0/15
80,443/tcp                 ALLOW       172.64.0.0/13
80,443/tcp                 ALLOW       173.245.48.0/20
80,443/tcp                 ALLOW       188.114.96.0/20
80,443/tcp                 ALLOW       190.93.240.0/20
80,443/tcp                 ALLOW       197.234.240.0/22
80,443/tcp                 ALLOW       198.41.128.0/17
80,443/tcp                 ALLOW       2400:cb00::/32
80,443/tcp                 ALLOW       2405:8100::/32
80,443/tcp                 ALLOW       2405:b500::/32
80,443/tcp                 ALLOW       2606:4700::/32
80,443/tcp                 ALLOW       2803:f800::/32
80,443/tcp                 ALLOW       2a06:98c0::/29
80,443/tcp                 ALLOW       2c0f:f248::/32

That’s it! A wee bit safer. I don’t know if Cloudflare is adding or removing servers very often, but they say they would update the list if they do. In which case, just clear up your ufw rules and run this script again.

Although if it ever happens, I shall write a script to flush the existing rules and regenerates the configuration automatically.
I haven’t had the need for it yet.

P.S. No I don’t have shares in Cloudflare, I’m just a simple subscriber of their free offering.

Share on

Fred
WRITTEN BY
Fred
Software Dude