An Approach to Blocking Attempts to Bypass Cloudflare

For various reasons, I need DNS entries that point directly at my server (Cloudflare proxy disabled). I was setting up individual firewall rules to block miscreants who were clearly bypassing Cloudflare, but wanted a less time-consuming approach. Other forum posts provided suggestions, but none went into details. The following is based on Linux iptables - I run webmin which allows me to make the required changes via its user interface.

I created a new iptables chain called “webtraffic” and populated it with rules to ACCEPT traffic orginating from the Cloudflare IP addresses found at https://www.cloudflare.com/ips/. The second last line logs non-Cloudflare traffic to /var/log/messages, so that I can track who was attempting to bypass Cloudflare.

iptables -N webtraffic
iptables -A webtraffic -s 108.162.192.0/18 -j ACCEPT
iptables -A webtraffic -s 162.158.0.0/15 -j ACCEPT
iptables -A webtraffic -s 172.64.0.0/13 -j ACCEPT
iptables -A webtraffic -s 141.101.64.0/18 -j ACCEPT
iptables -A webtraffic -s 173.245.48.0/20 -j ACCEPT
iptables -A webtraffic -s 188.114.96.0/20 -j ACCEPT
iptables -A webtraffic -s 127.0.0.1/32 -j ACCEPT
iptables -A webtraffic -s 198.41.128.0/17 -j ACCEPT
iptables -A webtraffic -s 103.22.200.0/22 -j ACCEPT
iptables -A webtraffic -s 103.21.244.0/22 -j ACCEPT
iptables -A webtraffic -s 103.31.4.0/22 -j ACCEPT
iptables -A webtraffic -s 190.93.240.0/20 -j ACCEPT
iptables -A webtraffic -s 197.234.240.0/22 -j ACCEPT
iptables -A webtraffic -s 104.16.0.0/12 -j ACCEPT
iptables -A webtraffic -s 131.0.72.0/22 -j ACCEPT
iptables -A webtraffic -j LOG
iptables -A webtraffic -j DROP

I already had two firewall rules in the iptables INPUT chain that accepted all traffic for ports 80 and 443. I modified these rules to jump to the “webtraffic” chain.

iptables -A INPUT -p tcp -m tcp --dport 443 -j webtraffic
iptables -A INPUT -p tcp -m tcp --dport 80 -j webtraffic

I had originally not included the last DROP line - custom chains return back to the calling chain which I assumed would cause non-Cloudflare traffic to be accepted. The first is correct, the second is not - the non-Cloudflare traffic was inspected by all the remaining iptables rules, none of which related to port 80/443, so the traffic was eventually dropped. I added “iptables -A webtraffic -j ACCEPT” to “webtraffic”, monitored for a few days, then changed the rule to DROP all traffic bypassing Cloudflare. Using DROP rather than REJECT makes it appear that the target website is gone or not responding at all.

Issuing the Linux command “iptables -L -v -n” allows me to display traffic counters, monitor which rules are ‘firing’, and adjust the sequence of the “webtraffic” rules so that the Cloudflare IPs with the highest traffic are at the top.

The first full day after enabling the firewall rules showed 35 unique IPs driving 763 web requests. Since switching from ACCEPT to DROP, the volume of traffic bypassing Cloudflare has dropped dramatically to four unique IPs driving 192 web requests. If it turns out that some of the miscreants do not eventually get the message, I can add specific DROP rules at the top of the “webtraffic” chain to reduce unnecessary iptables processing.

Regards, Norbert

I like that. Makes it non-existent, rather than overtly blocked.

Can you tell if they were requesting a specific hostname?

DROP causes the request to timeout and probably retry, which slows down the miscreants. What I would really like to do is hand them off to something like https://labrea.sourceforge.io/labrea-info.html.

LOG in iptables only provides basic host/port information - now that I am dropping the requests, I cannot tell what hostname they are accessing. I created a ‘catchall’ virtual host in Apache that handles unrecognised hostnames - it used to get a fair amount of traffic. As with spam, I am getting a lot more junk traffic than legitimate traffic.

Regards, Norbert

This topic was automatically closed after 30 days. New replies are no longer allowed.