How to whitelist CloudFlare IP ranges within iptables rules (multiport)?

Question

There seem to be many different ways to setup whitelist rules within iptables.

What is the wisest way to whitelist the CloudFlare IP address ranges below via SSH?

204.93.240.0/24 (204.93.240.0 - 204.93.240.255)
204.93.177.0/24 (204.93.177.0 - 204.93.177.255)
199.27.128.0/21 (199.27.128.0 - 199.27.135.255)
173.245.48.0/20 (173.245.48.0 - 173.245.63.255)
103.22.200.0/22 (103.22.200.0 - 103.22.203.255)
141.101.64.0/18 (141.101.64.0 - 141.101.127.255)
108.162.192.0/18 (108.162.192.0 - 108.162.255.255)
190.93.240.0/20 (190.93.240.0 - 190.93.255.255)
188.114.96.0/20 (188.114.96.0 - 188.114.255.255)

According to their FAQ it should be done as follows:

iptables -I INPUT -p tcp -m multiport --dports http,https -s CLOUDFLARE_IP_RANGE -j ACCEPT

However, this generates the following error:

Bad argument 'http,https'

It also does not provide for OUTPUT rules, or rules to be flushed first.

The following thread may be helpful: [link](http://serverfault.com/questions/30026/whitelist-allowed-ips-in-out-using-iptables) — Jesse Nickles, Nov 09 '12 at 13:48

score 3 · Accepted Answer · answered Nov 09 '12 at 13:56

3

I have never seen anyone try to use service names in that argument. Try using the equivalent numeric port numbers instead:

--dports 80,443

answered Nov 09 '12 at 13:56

Michael Hampton

237,123
42
477
940

How to whitelist CloudFlare IP ranges within iptables rules (multiport)?

1 Answers1