Iptables to allow only cloudflare


I have set up my domain (montglane.com) in cloudflare, nameservers working and all the initial set up seems fine. Now I want to limit access to my API only to requests served through cloudflare, so this is what I did:

  • Added an A record to api pointing to my server
  • Set SSL to Off in cloudflare
  • Opened port 6000 in my router and routed it to this server
  • Tested that I can reach my dummy app with curl -X GET -i <my-external-ip>:6000
  • Enabled development mode and purged all cache
  • Added iptable rules to limit access only to cloudflare ips, the rules look like this:
    iptables -I INPUT -p tcp -m tcp -m state --state NEW,ESTABLISHED -s -j ACCEPT
    ip6tables -I INPUT -p tcp -m tcp -m state --state NEW,ESTABLISHED -s 2400:cb00::/32 -j ACCEPT
    and so on with all the other ips. The last iptable rule is to drop all packets of course.

But now if I try the same curl pointing to api.montglane.com:6000 it times out, as if the request came from another ip. I took the list of ips from here https://www.cloudflare.com/ips/

Am I missing anything obvious?

Cloudflare doesn’t route traffic over Port 6000.

You are of course, right. Thanks for the link :slight_smile: Changed to port 80 and it worked directly

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.