Photo by Jordan Harrison on Unsplash

How to only allow CloudFlare access to port 443 and/or 80

Bob Kfir
Bob Kfir
Mar 9, 2018 · 2 min read

If you’re like me and use CloudFlare, you might want to make sure only CloudFlare can access your webserver ports. Doing that will make it substantially harder to DDoS your system, even if the IP address is compromised. Sure, you could drop packets with NGINX or Apache, but the best performance will be by blocking them at the iptables level(aside from blocking them before they hit your server).


Well, I found a script over at that gets the list from CloudFlare, and uses iptables to apply them. I made a modified version that makes it easier to have BOTH ipv6 and ipv4 rules. Here’s the script:

if [ $(whoami) != "root" ]
echo "Please run as root"
for i in `curl -s$type`
if [ $type = "6" ]
$iptables -I INPUT -p tcp -s $i --dport 80 -j ACCEPT
$iptables -I INPUT -p tcp -s $i --dport 443 -j ACCEPT

just copy and paste, and you should be able to run it with


then, change the line




and run it again to apply to ip6tables. You probably should run this after:

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

to drop all packets not from CloudFlare.

How effective is this?

Well, nothing can block DDoS attacks completely, but this should be close enough. When I DoS my VPS from another VPS, the CPU usually doesn’t jump up that much when packets are blocked by iptables, but when blocked via NGINX, the CPU load skyrockets. So, you should be good against small-ish attacks, but don’t expect to stay up during a 500 Gbps attack. One more thing to note is when blocked via iptables, bandwidth is still being used up, so if the attack is larger than what your internet connection can handle, your CPU usage will stay low, but your site will still be slow, if not completely offline.

Well, I hope this post helped someone, and leave a comment with your DDoS mitigation techniques :)

Bob Kfir’s Tech Blog

A technology blog with an emphasis on cybersecurity and privacy.

Bob Kfir

Written by

Bob Kfir

I’m a writer and a programmer. Most of what I write is about technology (often privacy and cybersecurity) and/or writing. You can learn more at

Bob Kfir’s Tech Blog

A technology blog with an emphasis on cybersecurity and privacy.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade