jake/cloudflare-ufw-updater
1
Fork 0
mirror of https://github.com/jakejarvis/cloudflare-ufw-updater.git synced 2025-06-27 15:05:43 -04:00
Code Releases Activity

initial commit :)

Browse Source
This commit is contained in:
Jake Jarvis
2019-12-06 11:47:07 -05:00
commit 94a8f0e89a
3 changed files with 95 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
LICENSE.md Normal file
View File

@ -0,0 +1,21 @@
MIT License
Copyright (c) 2019-present Jake Jarvis <jake@jarv.is>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

48
README.md Normal file
View File

@ -0,0 +1,48 @@
# Cloudflare + UFW Rule Updater 🔥 🧱
<p align="center"><img src="https://upload.wikimedia.org/wikipedia/en/a/a2/Cloudflare_logo.svg" width="400"/></p>
<h6 align="center">Inspired by <a href="https://github.com/Paul-Reed/cloudflare-ufw">Paul-Reed/cloudflare-ufw</a> and <a href="https://www.leowkahman.com/2016/05/02/automate-raspberry-pi-ufw-allow-cloudflare-inbound/">Leow Kah Man</a>.</h6>
A simple bash script that downloads a list of IP address ranges (both v4 and v6) [belonging to Cloudflare](https://www.cloudflare.com/ips/) and adds them as rules to UFW (Ubuntu's [Uncomplicated Firewall](https://wiki.ubuntu.com/UncomplicatedFirewall)).
In other words, the easiest way to protect your origin server from direct attacks circumventing Cloudflare's protection.
## Usage
### Run once:
Check your current rules first (`sudo ufw status numbered`); if you're already allowing traffic to ports 80 and 443 from **anywhere**, delete those rules with `sudo ufw rule delete X` (replace X with the matching rule number).
**Make sure you're allowing SSH traffic for yourself before enabling UFW!** Run `sudo ufw allow ssh` to be "safe" — you can restrict SSH to your own IPs later if you'd like to _actually_ be safe. 😉
Download (and skim through it — don't trust strangers on the internet with `sudo` permissions!) and run this script once as root (`sudo bash ./cf-ufw.sh`).
Once you've checked that it worked (`sudo ufw status numbered` once again), you can run `sudo ufw enable` to lock everything down.
<p align="center"><img width="600" alt="Screen Shot 2019-12-06 at 11 41 55 AM copy" src="https://user-images.githubusercontent.com/1703673/70339900-b0f22980-181d-11ea-8c32-67ac0c7640e1.png"></p>
### Run as a daily cron job:
Cloudflare might add new IPs to their lists at any time. Therefore, it's important to keep your UFW rules up-to-date by running this script automatically at a set interval via a [cron job](https://en.wikipedia.org/wiki/Cron).
1. `sudo crontab -e`
2. Add this line to the end and save:
```
@daily /location/of/cf-ufw.sh &> /dev/null
```
If you'd like an interval other than daily, [crontab.guru](https://crontab.guru/) is a nifty tool to generate the syntax to replace `@daily`.
## Customization
`cf-ufw.sh` can easily be modified and adjusted to your liking. By default, it only restricts ports `80` and `443` via TCP — likely the reason you're using Cloudflare in the first place. Those can be changed to any other port number (or literally every port). You can also remove either one of the first two lines if your server isn't using IPv6 or IPv4.
In any case, I'd recommend skimming Ubuntu's [full UFW documentation](https://help.ubuntu.com/community/UFW) before enabling, as it's easy to lock yourself out of your own server if you're not careful!
## License
This project is distributed under the [MIT license](LICENSE.md).

26
cf-ufw.sh Normal file
View File

@ -0,0 +1,26 @@
#!/bin/sh
#
# UFW rule updater to only allow HTTP and HTTPS traffic from Cloudflare IP addresses.
# Readme: https://github.com/jakejarvis/cloudflare-ufw-updater/blob/master/README.md
#
# Inspired by https://github.com/Paul-Reed/cloudflare-ufw/blob/master/cloudflare-ufw.sh
#
# To run as a daily cron job:
# 1. sudo crontab -e
# 2. Add this line to the end:
# @daily /this/file/location/cf-ufw.sh &> /dev/null
#
# Fetch latest IP range lists (both v4 and v6) from Cloudflare
curl -s https://www.cloudflare.com/ips-v4 -o /tmp/cf_ips
curl -s https://www.cloudflare.com/ips-v6 >> /tmp/cf_ips
# Restrict traffic to ports 80 (TCP) & 443 (TCP)
# UFW will skip a subnet if a rule already exists (which it probably does)
for ip in $(cat /tmp/cf_ips); do ufw allow from "$ip" to any port 80,443 proto tcp comment 'Cloudflare'; done
# Delete downloaded lists from above
rm /tmp/cf_ips
# Need to reload UFW before new rules take effect
ufw reload