Only allow connections from whitelisted IPs?

dns

#1

Is it possible to restrict connections to only a “whitelist” of IPs?
I ask because I want to set up a backup server for family members only and want to restrict access to this resource to only their IPs. (of course, already have password access etc enabled as well)
Thank you in advance,
Ari


#2

It’s easier to do this with .htaccess if your server runs Apache. Something like this in .htacess should do it:

order deny,allow
deny from all
allow from 96.xxx.xx.xxx #my IP address
allow from 97.xx.xxx.xxx #my client's IP address

#3

Blocking the whole internet via Cloudflare Firewall is a lot of work as you may need to add all networks or ASNs by hand. You can block countries by their ISO codes (like US, DE, RU) which would be much easier since there are, uh… 149?), but only on a paid plan.

I’d rather do this directly on the origin like @sdayman wrote.


#4

You can do this using zone lockdown and or Cloudflare Access as well:


Certainly possible with .htaccess and possibly easier to manage if you are a super nerd like @sdayman :wink:


#5

Nerds! :nerd_face:


#6

Thank you, Sir! :rofl:


#7

Lockdown and Access cost money. We save our money for special things…like mechanical pencils.


#8

Thank you all,
I can use the .htaccess on the backup machine or use the firewall on the home network’s router. My hope asking CloudFlare is to block unwanted access even before it gets to my home network. Could I use the “IP Firewall” “Access Rules” for this?

If this is feasible, then I believe I would want to arrange those rules to allow the IPs from my family members and then block the whole rest of the internet?
I would plan to use the CIDR from the family members’ residential internet connections, set them to whitelist.
What would I enter for the whole rest of the internet, and would I put that before or after the other rules?
Maybe I would have to get out my mechanical pencil and sliderule for this one!


#9

CF firewall doesn’t work like a usual firewall does
Allow 1, 2, 3
Deny all other.

You also cannot block networks greater than /16 within a single rule. (try it with 0.0.0.0/0 which would be all traffic and read the error message)

Also: on a free plan your are limited to 500 rules, Enterprise… Uh… About 2000 if I remember correctly. You can block ASNs but I doubt that there are more than 500 ASN’s or /16 networks out there :wink:

On a paid plan you can block Traffic by country via their country codes. I guess thus is why they limited the CIDR size.

I for myself have blocked access from Middle and far East, Russia via CIDR (though I’m pretty sure I didn’t hit them all).

So, you need to change to a paid plan or use the nerd way :wink:


#10

This topic was automatically closed after 14 days. New replies are no longer allowed.