Firewall rules - Allow certain IPs, block all others

Hello, Cloudflare Community,

I’m reaching out to you as I’m unable to find a solution on the web for my issue. We run an API and have recently decided to give Cloudflare CDN a try so that we can lower latencies for users around the globe.

The API is being operated via RapidAPI (an API marketplace), so there are specific IPs that must be allowed on our primary server in order for routing to work. Before utilizing Cloudflare, I simply added these IPs to an Apache htaccess file and that worked perfectly.

However, after switching to Cloudflare, of course, we needed to discontinue that solution and set up a firewall rule to allow certain IPs through the Cloudflare WAF. So, we set up the firewall rule via Security/WAF/Firewall rules for these IPs, writing an expression that says to allow these IPS, or else, block access.

Here is the expression:

(not ip.src in {107.23.255.128/27}) or (ip.src ne 35.162.152.183) or (ip.src ne 52.38.28.241) or (ip.src ne 52.35.67.149) or (ip.src ne 54.149.215.237) or (ip.src ne 13.127.146.34) or (ip.src ne 13.127.207.241) or (ip.src ne 13.232.235.243) or (ip.src ne 13.233.81.143) or (ip.src ne 13.112.233.15) or (ip.src ne 54.250.57.56) or (ip.src ne 18.182.156.77) or (ip.src ne 52.194.200.157) or (ip.src ne 3.120.160.95) or (ip.src ne 18.184.214.33) or (ip.src ne 18.197.117.10) or (ip.src ne 3.121.144.151) or (ip.src ne 13.239.156.114) or (ip.src ne 13.238.1.253) or (ip.src ne 13.54.58.4) or (ip.src ne 54.153.234.158) or (ip.src ne 18.228.167.221) or (ip.src ne 18.228.209.157) or (ip.src ne 18.228.209.53) or (ip.src ne 18.228.69.72) or (ip.src ne 13.228.169.5) or (ip.src ne 3.0.35.31) or (ip.src ne 3.1.111.112) or (ip.src ne 52.220.50.179) or (ip.src ne 34.250.225.89) or (ip.src ne 52.30.208.221) or (ip.src ne 63.34.177.151) or (ip.src ne 63.35.2.11)

But when this is deployed, the endpoint requests via RapidAPI are blocked (error 1020).

Is there anyone that can help with this?

Thank you.

Additional details:

  • LAMP stack
  • Dedicated Apache server located in Atlanta, GA
  • Ubuntu 20.04

Replace your ors with ands.

Thank you for your help, Sandro, I will try that solution right away.

No worries, you can also simply add all these addresses to your not in.

Thanks so much, I’ve just deployed the rule and am testing it as we speak.

Unfortunately, now we’re getting a 403 error.

Here’s the expression modified after your suggestion of replacing the ‘ors’ with ‘ands’, is this correct?

(not ip.src in {107.23.255.128/27}) and (ip.src ne 35.162.152.183) and (ip.src ne 52.38.28.241) and (ip.src ne 52.35.67.149) and (ip.src ne 54.149.215.237) and (ip.src ne 13.127.146.34) and (ip.src ne 13.127.207.241) and (ip.src ne 13.232.235.243) and (ip.src ne 13.233.81.143) and (ip.src ne 13.112.233.15) and (ip.src ne 54.250.57.56) and (ip.src ne 18.182.156.77) and (ip.src ne 52.194.200.157) and (ip.src ne 3.120.160.95) and (ip.src ne 18.184.214.33) and (ip.src ne 18.197.117.10) and (ip.src ne 3.121.144.151) and (ip.src ne 13.239.156.114) and (ip.src ne 13.238.1.253) and (ip.src ne 13.54.58.4) and (ip.src ne 54.153.234.158) and (ip.src ne 18.228.167.221) and (ip.src ne 18.228.209.157) and (ip.src ne 18.228.209.53) and (ip.src ne 18.228.69.72) and (ip.src ne 13.228.169.5) and (ip.src ne 3.0.35.31) and (ip.src ne 3.1.111.112) and (ip.src ne 52.220.50.179) and (ip.src ne 34.250.225.89) and (ip.src ne 52.30.208.221) and (ip.src ne 63.34.177.151) and (ip.src ne 63.35.2.11)

Thanks

I would add these addresses all to the not in. But that 403 will be probably from your server. Can you post a screenshot?

Hi Sandro,

Yes, that is a server error, so I’m thinking that perhaps I should discontinue the entire htaccess code blocks wherein it is stated:

order deny,allow
deny from all

allow from xxx.xx.xxx.xxx

etc.

I can still post a screenshot if you’d like, but I can confirm that is indeed a server error, so, do you think that the redundancy of having an htaccess file coupled with the Cloudlfare WAF rule is causing the issue? If so, we use CI/CD, so I can remedy that fairly quickly.

If your server is only accessible via the Cloudflare proxies, then you do no need the Apache rules.

Also, make sure you are rewriting IP addresses

https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs

1 Like

That’s what I was thinking, but I figured it would not hurt - OK, let me try that and see. I appreciate you, Sandro.

Also in regard to including the IPs in the ‘not in’, do you mean with ranges, as only the first batch appears to be eligible for CIDR, as the other IPs are not ranges?

Sandro,

That worked beautifully after removing the unnecessary htaccess blocks.

Since we lost our DevOps guy a few months ago, I’ve had to take over that role - in addition to being the lead developer, so it’s been quite a ride. There’s just as much - if not more - to DevOps as there is to software programming, so your help saved me a great deal of time.

I’m also looking into your additional suggestion regarding rewriting IP addresses.

Thanks so much for your time, I really do appreciate it, Sandro.

I’ll mark this as solved.

1 Like

Pleasure, glad it worked fine.

As for your question, is in works with CIDRs and individual addresses.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.