Why does my IPTables changes not deny access from all IP addresses except CloudFlare’s ranges?

jeradakase · August 8, 2020, 6:47am

I am running apache on ubuntu 18.04. I used IPtables to deny access from all IP addressed except CloudFlare’s ranges and when I run iptables -L –line-number I get

1 ACCEPT tcp – 131.0.72.0/22 anywhere multiport dports http,https
2 ACCEPT tcp – 172.64.0.0/13 anywhere multiport dports http,https
3 ACCEPT tcp – 104.16.0.0/12 anywhere multiport dports http,https
4 ACCEPT tcp – 162.158.0.0/15 anywhere multiport dports http,https
5 ACCEPT tcp – 198.41.128.0/17 anywhere multiport dports http,https
6 ACCEPT tcp – 197.234.240.0/22 anywhere multiport dports http,https
7 ACCEPT tcp – 188.114.96.0/20 anywhere multiport dports http,https
8 ACCEPT tcp – 190.93.240.0/20 anywhere multiport dports http,https
9 ACCEPT tcp – 108.162.192.0/18 anywhere multiport dports http,https
10 ACCEPT tcp – 141.101.64.0/18 anywhere multiport dports http,https
11 ACCEPT tcp – 103.31.4.0/22 anywhere multiport dports http,https
12 ACCEPT tcp – 103.22.200.0/22 anywhere multiport dports http,https
13 ACCEPT tcp – 103.21.244.0/22 anywhere multiport dports http,https
14 ACCEPT tcp – 173.245.48.0/20 anywhere multiport dports http,https
15 ufw-before-logging-input all – anywhere anywhere
16 ufw-before-input all – anywhere anywhere
17 ufw-after-input all – anywhere anywhere
18 ufw-after-logging-input all – anywhere anywhere
19 ufw-reject-input all – anywhere anywhere
20 ufw-track-input all – anywhere anywhere
21 DROP tcp – anywhere anywhere multiport dports http,https

The exact command I ran was:

sudo iptables -I INPUT -p tcp -m multiport --dports http,https -s 173.245.48.0/20 -j ACCEPT 
sudo iptables -I INPUT -p tcp -m multiport --dports http,https -s 103.21.244.0/22 -j ACCEPT 
sudo iptables -I INPUT -p tcp -m multiport --dports http,https -s 103.22.200.0/22 -j ACCEPT 
sudo iptables -I INPUT -p tcp -m multiport --dports http,https -s 103.31.4.0/22 -j ACCEPT 
sudo iptables -I INPUT -p tcp -m multiport --dports http,https -s 141.101.64.0/18 -j ACCEPT 
sudo iptables -I INPUT -p tcp -m multiport --dports http,https -s 108.162.192.0/18 -j ACCEPT 
sudo iptables -I INPUT -p tcp -m multiport --dports http,https -s 190.93.240.0/20 -j ACCEPT 
sudo iptables -I INPUT -p tcp -m multiport --dports http,https -s 188.114.96.0/20 -j ACCEPT 
sudo iptables -I INPUT -p tcp -m multiport --dports http,https -s 197.234.240.0/22 -j ACCEPT 
sudo iptables -I INPUT -p tcp -m multiport --dports http,https -s 198.41.128.0/17 -j ACCEPT 
sudo iptables -I INPUT -p tcp -m multiport --dports http,https -s 162.158.0.0/15 -j ACCEPT 
sudo iptables -I INPUT -p tcp -m multiport --dports http,https -s 104.16.0.0/12 -j ACCEPT 
sudo iptables -I INPUT -p tcp -m multiport --dports http,https -s 172.64.0.0/13 -j ACCEPT 
sudo iptables -I INPUT -p tcp -m multiport --dports http,https -s 131.0.72.0/22 -j ACCEPT 


sudo iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP

Why am I still able to access the website from direct Digitalocean droplet IP address? Thanks

jeradakase · August 7, 2020, 11:51pm

@sdayman I already did this and when I run iptables -L --line-number I get

1    ACCEPT     tcp  --  131.0.72.0/22        anywhere             multiport dports http,https
2    ACCEPT     tcp  --  172.64.0.0/13        anywhere             multiport dports http,https
3    ACCEPT     tcp  --  104.16.0.0/12        anywhere             multiport dports http,https
4    ACCEPT     tcp  --  162.158.0.0/15       anywhere             multiport dports http,https
5    ACCEPT     tcp  --  198.41.128.0/17      anywhere             multiport dports http,https
6    ACCEPT     tcp  --  197.234.240.0/22     anywhere             multiport dports http,https
7    ACCEPT     tcp  --  188.114.96.0/20      anywhere             multiport dports http,https
8    ACCEPT     tcp  --  190.93.240.0/20      anywhere             multiport dports http,https
9    ACCEPT     tcp  --  108.162.192.0/18     anywhere             multiport dports http,https
10   ACCEPT     tcp  --  141.101.64.0/18      anywhere             multiport dports http,https
11   ACCEPT     tcp  --  103.31.4.0/22        anywhere             multiport dports http,https
12   ACCEPT     tcp  --  103.22.200.0/22      anywhere             multiport dports http,https
13   ACCEPT     tcp  --  103.21.244.0/22      anywhere             multiport dports http,https
14   ACCEPT     tcp  --  173.245.48.0/20      anywhere             multiport dports http,https
15   ufw-before-logging-input  all  --  anywhere             anywhere
16   ufw-before-input  all  --  anywhere             anywhere
17   ufw-after-input  all  --  anywhere             anywhere
18   ufw-after-logging-input  all  --  anywhere             anywhere
19   ufw-reject-input  all  --  anywhere             anywhere
20   ufw-track-input  all  --  anywhere             anywhere
21   DROP       tcp  --  anywhere             anywhere             multiport dports http,https

Why am I still able to access the website from direct ip?

sandro · August 8, 2020, 8:03am

I am afraid that is a server administration related question and somewhat off topic for the forum here. Please try over at StackExchange.

Topic		Replies	Views
Cloudflare and Iptables Not working General	2	4201	January 5, 2021
About IP Ranges cloudflare Security	4	1977	February 20, 2022
I've blocked IP's, but some ot them still getting to my site Access	8	4007	October 14, 2020
Iptables to allow only cloudflare Security	3	5211	November 9, 2019
Cloudflare used to (D)DoS my non-HTTP game server Security	4	2934	May 28, 2020

Why does my IPTables changes not deny access from all IP addresses except CloudFlare’s ranges?

Related topics