Results 1 to 5 of 5

Thread: Whitelisting IP with UFW

  1. #1
    Join Date
    Aug 2006
    Beans
    112

    Whitelisting IP with UFW

    I need to whitelist Cloudflare's IP address. According to the instructions at http://support.cloudflare.com/kb/tro...es-in-iptables

    You should insert the rules for tcp on top of the INPUT chain (for an already running firewall), and should have it accept before it gets to any other rules:
    Code:
    /sbin/iptables -I INPUT -j ACCEPT -p tcp --dport 80 -s 204.93.240.0/24
    
    /sbin/iptables -I INPUT -j ACCEPT -p tcp --dport 80 -s 204.93.177.0/24
    
    /sbin/iptables -I INPUT -j ACCEPT -p tcp --dport 80 -s 199.27.128.0/21
    
    /sbin/iptables -I INPUT -j ACCEPT -p tcp --dport 80 -s 173.245.48.0/20
    
    /sbin/iptables -I INPUT -j ACCEPT -p tcp --dport 80 -s 103.22.200.0/22
    
    /sbin/iptables -I INPUT -j ACCEPT -p tcp --dport 80 -s 141.101.64.0/18
    
    /sbin/iptables -I INPUT -j ACCEPT -p tcp --dport 80 -s 190.93.240.0/20
    
    /sbin/iptables -I INPUT -j ACCEPT -p tcp --dport 80 -s 2606:4700::/32
    
    /sbin/iptables -I INPUT -j ACCEPT -p tcp --dport 80 -s 2803:f800::/32
    
    /sbin/iptables -I INPUT -j ACCEPT -p tcp --dport 80 -s 2400:cb00::/32
    Note: This applies to iptables only and does not consider any other firewalls you are using.
    Do I need to alter /etc/ufw/before.rules? I looked at it, but I can't say I understand where or how to add these rules to it.

  2. #2
    Join Date
    Aug 2006
    Beans
    112

    Re: Whitelisting IP with UFW

    I did this
    Code:
    sudo ufw default deny
    # Whitelist Cloudflare's IPs
    sudo ufw allow from 204.93.240.0/24
    sudo ufw allow from 204.93.177.0/24
    sudo ufw allow from 199.27.128.0/21
    sudo ufw allow from 173.245.48.0/20
    sudo ufw allow from 103.22.200.0/22
    sudo ufw allow from 141.101.64.0/18
    sudo ufw allow from 108.162.192.0/18
    sudo ufw allow from 190.93.240.0/20
    sudo ufw allow from 2400:CB00:/32
    sudo ufw allow from 2606:4700:/32
    sudo ufw allow from 2803:f800:/32
    sudo ufw allow http
    sudo ufw allow https
    sudo ufw allow ssh
    sudo ufw allow 3306
    But it didn't like these commands
    Code:
    sudo ufw allow from 2400:CB00:/32
    sudo ufw allow from 2606:4700:/32
    sudo ufw allow from 2803:f800:/32
    What exactly is this range?

  3. #3
    Join Date
    Nov 2009
    Location
    Mataro, Spain
    Beans
    13,139
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Whitelisting IP with UFW

    That is a range in IPv6 format, the new format going into service.

    I am not sure if ufw accepts ipv6 by default. Look for any settings in /etc/default/ufw and /etc/ufw/sysctl.conf.
    Darko.
    -----------------------------------------------------------------------
    Ubuntu 14.04 LTS 64bit & Windows 10 Pro 64bit

  4. #4
    Join Date
    Aug 2006
    Beans
    112

    Re: Whitelisting IP with UFW

    Thanks for the reply. Now, that I supposedly have whitelisted cloudflare, a ssh connection takes forever to initiate: the password prompt used to be immediate, now, with ufw rules above, it takes like 45 seconds before the ssh password prompt appears.

  5. #5
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,702
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: Whitelisting IP with UFW

    Check the logs to see what packets your firewall is dropping. This may give you a clue why the delay.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •