Rietta
Rietta: Web Apps Where Security Matters
You are reading The Rietta Blog, a publication about the web since 2005.

Using IPTABLES to Require CloudFlare for All HTTP/HTTPS Traffic

Comments

For some of our clients, Rietta uses CloudFlare.com for its web application firewall and content distribution network (CDN) services. CloudFlare is installed on a domain by changing the domain’s DNS servers to resolve to CloudFlare, which then proceeds to serve as a proxy between the web and the web server running the protected application.

Once this is setup it is expected that all general web traffic will originate from the CloudFlare network, which is the proxy server. CloudFlare helps protect the website then by filtering out threat traffic. It’s a good piece of the defense in depth strategy.

However, this service is of little benefit if potentially malicious traffic can simply bypass the filtering service by directly addresses the web server. The easiest way to stop this is by configuring the iptables firewall to explicitly allow HTTP (port 80) and HTTPS (port 443) traffic from CloudFlare’s network and block it from everywhere else.

/etc/firewall_setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
  ###################################################
  # CloudFlare Web Application Firewall / CDN Access
  ################################################### 

  #
  # CloudFlare Network has Access to HTTP (port 80)
  #
  iptables -A INPUT -s 204.93.240.0/24 -p tcp --dport http -j ACCEPT
  iptables -A INPUT -s 204.93.177.0/24 -p tcp --dport http -j ACCEPT
  iptables -A INPUT -s 199.27.128.0/21 -p tcp --dport http -j ACCEPT
  iptables -A INPUT -s 173.245.48.0/20 -p tcp --dport http -j ACCEPT
  iptables -A INPUT -s 103.22.200.0/22 -p tcp --dport http -j ACCEPT
  iptables -A INPUT -s 141.101.64.0/18 -p tcp --dport http -j ACCEPT
  iptables -A INPUT -s 108.162.192.0/18 -p tcp --dport http -j ACCEPT
  iptables -A INPUT -s 190.93.240.0/20 -p tcp --dport http -j ACCEPT

  #
  # CloudFlare Network has Access to Encrypted HTTPS (port 443)
  #
  iptables -A INPUT -s 204.93.240.0/24 -p tcp --dport https -j ACCEPT
  iptables -A INPUT -s 204.93.177.0/24 -p tcp --dport https -j ACCEPT
  iptables -A INPUT -s 199.27.128.0/21 -p tcp --dport https -j ACCEPT
  iptables -A INPUT -s 173.245.48.0/20 -p tcp --dport https -j ACCEPT
  iptables -A INPUT -s 103.22.200.0/22 -p tcp --dport https -j ACCEPT
  iptables -A INPUT -s 141.101.64.0/18 -p tcp --dport https -j ACCEPT
  iptables -A INPUT -s 108.162.192.0/18 -p tcp --dport https -j ACCEPT
  iptables -A INPUT -s 190.93.240.0/20 -p tcp --dport https -j ACCEPT

  ######################################################
  # General Access to the Web Server from the World
  ######################################################
  # If we wanted to allow HTTP/HTTPS from anywhere, add this
  #iptables -A INPUT -p tcp --dport http -j ACCEPT
  #iptables -A INPUT -p tcp --dport https -j ACCEPT  

  # If we want to drop all traffic other not permitted already to HTTP and HTTPS
  iptables -A INPUT -p tcp --dport http -j DROP
  iptables -A INPUT -p tcp --dport https -j DROP

Pre-Migration Comments

Niklas Bivald

You can also do a modified version of cloudflares railgunscript:

1
2
for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -s $i --dport http -j ACCEPT; done
for i in `curl https://www.cloudflare.com/ips-v4`; do iptables -I INPUT -p tcp -s $i --dport https -j ACCEPT; done

About Frank Rietta

Frank Rietta's photo

Frank Rietta is specialized in working with startups, new Internet businesses, and in developing with the Ruby on Rails platform to build scalable businesses. He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology. He teaches about security topics and is a contributor to the security chapter of the 7th edition of the "Fundamentals of Database Systems" textbook published by Addison-Wesley.

Comments