Cloudflare IP Addresses not on /ips/

Hey,

Sorry if this is a dupe thread.

I have a script that automatically adds published Cloudflare IP addresses from Here to a ufw ALLOW rule.
This works well and doesn’t appear to be causing any issues with traffic to my website, but checking the ufw logs, I can see some Cloudflare IP addresses being blocked, as they’re not on the published IP range list. For example, 172.69.142.60 and 108.162.215.244 get blocked by UFW, but don’t appear to be on the published IP address list.

Am I being really thick here? Is there something I’m missing? Should I be allowing these IP address ranges?

Any pointers would be appreciated!

Cheers

These addresses are in the list

Thanks for that, is there something wrong with my script to add the IP addresses?

#!/bin/bash

ranges="$(curl -s https://www.cloudflare.com/ips-v4) "
ranges+=$(curl -s https://www.cloudflare.com/ips-v6)
sudo -v

for ip in $ranges; do
  printf "Adding %s to whitelist...\n" "$ip"
  sudo ufw allow proto tcp from "$ip" to any port 443 > /dev/null
done
sudo ufw status numbered

Thanks

You seem to add the addresses as actual addresses when you should use them as ranges instead.

ufw seems to have added them properly though.

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
443/tcp                    ALLOW       173.245.48.0/20
443/tcp                    ALLOW       103.21.244.0/22
443/tcp                    ALLOW       103.22.200.0/22
443/tcp                    ALLOW       103.31.4.0/22
443/tcp                    ALLOW       141.101.64.0/18
443/tcp                    ALLOW       108.162.192.0/18
443/tcp                    ALLOW       190.93.240.0/20
443/tcp                    ALLOW       188.114.96.0/20
443/tcp                    ALLOW       197.234.240.0/22
443/tcp                    ALLOW       198.41.128.0/17
443/tcp                    ALLOW       162.158.0.0/15
443/tcp                    ALLOW       104.16.0.0/12
443/tcp                    ALLOW       172.64.0.0/13
443/tcp                    ALLOW       131.0.72.0/22
443/tcp                    ALLOW       2400:cb00::/32
443/tcp                    ALLOW       2606:4700::/32
443/tcp                    ALLOW       2803:f800::/32
443/tcp                    ALLOW       2405:b500::/32
443/tcp                    ALLOW       2405:8100::/32
443/tcp                    ALLOW       2a06:98c0::/29
443/tcp                    ALLOW       2c0f:f248::/32

And 172.69.142.60 for example is covered here

You might need to check your network configuration as to why it is blocked, but the addresses are correct and the script seems to work too.

Thanks for that, where do you suggest I start checking?
Is there anything that stands out in the ufw log?

Feb  4 21:27:46 hostname kernel: [ 3433.831104] [UFW BLOCK] IN=eth0 OUT= MAC=Redacted SRC=172.69.142.60 DST=Redacted LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=TCP SPT=33096 DPT=443 WINDOW=0 RES=0x00 RST URGP=0

Maybe your order is wrong, but server administration is beyond the scope of the forum I am afraid. StackExchange might help here.

1 Like

What do you mean by order?

Order of IP addresses in your configuration. You essentially need to find out what exactly blocks it, but that’s really off-topic for here as that is a server issue and not Cloudflare related :slight_smile:

1 Like

Alright, thanks for the help. What actually happens when these IP addresses are blocked? As far as I know, my users don’t get affected by it, does the traffic get rerouted?

Visitors coming via datacentres using that IP address will get an error message. One of the famous 500s.

That’s because the Cloudflare proxies won’t be able to connect.

2 Likes

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.