Skip to content

Instantly share code, notes, and snippets.

@Manouchehri

Manouchehri/cloudflare.sh

Last active October 22, 2025 13:19
Show Gist options
  • Save Manouchehri/cdd4e56db6596e7c3c5a to your computer and use it in GitHub Desktop.
Save Manouchehri/cdd4e56db6596e7c3c5a to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. Manouchehri revised this gist Jan 6, 2023. 1 changed file with 3 additions and 1 deletion.
    4 changes: 3 additions & 1 deletion cloudflare.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -8,4 +8,6 @@ for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -p tcp
    # Avoid racking up billing/attacks
    # WARNING: If you get attacked and CloudFlare drops you, your site(s) will be unreachable.
    iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
    ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP
    ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP

    # WARNING: This does NOT block Cloudflare's clients from accessing your website over HTTP or HTTPS with a Cloudflare Worker.
  2. Manouchehri revised this gist Jun 24, 2015. 1 changed file with 2 additions and 23 deletions.
    25 changes: 2 additions & 23 deletions cloudflare.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -2,29 +2,8 @@
    # https://www.cloudflare.com/ips
    # https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-CloudFlare-s-IP-addresses-in-iptables-

    # IPv4
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 103.21.244.0/22 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 103.22.200.0/22 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 103.31.4.0/22 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 104.16.0.0/12 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 108.162.192.0/18 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 141.101.64.0/18 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 162.158.0.0/15 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 172.64.0.0/13 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 173.245.48.0/20 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 188.114.96.0/20 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 190.93.240.0/20 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 197.234.240.0/22 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 198.41.128.0/17 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 199.27.128.0/21 -j ACCEPT

    # IPv6
    ip6tables -I INPUT -p tcp -m multiport --dports http,https -s 2400:cb00::/32 -j ACCEPT
    ip6tables -I INPUT -p tcp -m multiport --dports http,https -s 2405:8100::/32 -j ACCEPT
    ip6tables -I INPUT -p tcp -m multiport --dports http,https -s 2405:b500::/32 -j ACCEPT
    ip6tables -I INPUT -p tcp -m multiport --dports http,https -s 2606:4700::/32 -j ACCEPT
    ip6tables -I INPUT -p tcp -m multiport --dports http,https -s 2803:f800::/32 -j ACCEPT

    for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done
    for i in `curl https://www.cloudflare.com/ips-v6`; do ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT; done

    # Avoid racking up billing/attacks
    # WARNING: If you get attacked and CloudFlare drops you, your site(s) will be unreachable.
  3. Manouchehri revised this gist Jun 24, 2015. 1 changed file with 2 additions and 0 deletions.
    2 changes: 2 additions & 0 deletions cloudflare.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -1,5 +1,6 @@
    # Source:
    # https://www.cloudflare.com/ips
    # https://support.cloudflare.com/hc/en-us/articles/200169166-How-do-I-whitelist-CloudFlare-s-IP-addresses-in-iptables-

    # IPv4
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 103.21.244.0/22 -j ACCEPT
    @@ -26,5 +27,6 @@ ip6tables -I INPUT -p tcp -m multiport --dports http,https -s 2803:f800::/32 -j


    # Avoid racking up billing/attacks
    # WARNING: If you get attacked and CloudFlare drops you, your site(s) will be unreachable.
    iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
    ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP
  4. Manouchehri revised this gist Jun 24, 2015. 1 changed file with 2 additions and 2 deletions.
    4 changes: 2 additions & 2 deletions cloudflare.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -26,5 +26,5 @@ ip6tables -I INPUT -p tcp -m multiport --dports http,https -s 2803:f800::/32 -j


    # Avoid racking up billing/attacks
    iptables -A INPUT -p tcp --dport http,https -j DROP
    ip6tables -A INPUT -p tcp --dport http,https -j DROP
    iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
    ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP
  5. Manouchehri created this gist Jun 24, 2015.
    30 changes: 30 additions & 0 deletions cloudflare.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,30 @@
    # Source:
    # https://www.cloudflare.com/ips

    # IPv4
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 103.21.244.0/22 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 103.22.200.0/22 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 103.31.4.0/22 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 104.16.0.0/12 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 108.162.192.0/18 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 141.101.64.0/18 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 162.158.0.0/15 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 172.64.0.0/13 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 173.245.48.0/20 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 188.114.96.0/20 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 190.93.240.0/20 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 197.234.240.0/22 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 198.41.128.0/17 -j ACCEPT
    iptables -I INPUT -p tcp -m multiport --dports http,https -s 199.27.128.0/21 -j ACCEPT

    # IPv6
    ip6tables -I INPUT -p tcp -m multiport --dports http,https -s 2400:cb00::/32 -j ACCEPT
    ip6tables -I INPUT -p tcp -m multiport --dports http,https -s 2405:8100::/32 -j ACCEPT
    ip6tables -I INPUT -p tcp -m multiport --dports http,https -s 2405:b500::/32 -j ACCEPT
    ip6tables -I INPUT -p tcp -m multiport --dports http,https -s 2606:4700::/32 -j ACCEPT
    ip6tables -I INPUT -p tcp -m multiport --dports http,https -s 2803:f800::/32 -j ACCEPT


    # Avoid racking up billing/attacks
    iptables -A INPUT -p tcp --dport http,https -j DROP
    ip6tables -A INPUT -p tcp --dport http,https -j DROP