Cloudflare behind site iptables not blocking HTTP and HTTPS ports

Question

When the Fail2ban trigger an IP ban action, I want to block all the ports on my Ubuntu Server. Right now, I use banaction = iptables-allports and CSF. At this moment it only blocked SSH port, even if I use iptables-allports in fail2ban.

I face this issue sites behind the Cloudflare reverse proxy.

This is an Ubuntu 18.04 Nginx server. I can view visitors IP address in nginx log files. So I believe this VPS X-Forwarded-For in nginx configuration working as expected.

When I manually added an IP address to the CSF temporary ban list via SSH, now it again not blocked HTTP and HTTPS ports. This server support IPv4 and IPv6.

When I search the blocked IP it shows following outcome.

root@server:~# csf -g 43.250.242.xxx

Table  Chain            num   pkts bytes target     prot opt in     out     source               destination

filter TOR              174     22  1320 REJECT     all  --  *      *       43.250.242.xxx       0.0.0.0/0            reject-with icmp-port-unreachable
filter TOR              2        0     0 REJECT     all  --  *      *       43.250.242.xxx       0.0.0.0/0            reject-with icmp-port-unreachable
filter TOR              6        0     0 REJECT     all  --  *      *       43.250.242.xxx       0.0.0.0/0            reject-with icmp-port-unreachable


IPSET: Set:cc_lk Match:43.250.242.xxx Setting:CC_ALLOW_PORTS Country:LK


ip6tables:

Table  Chain            num   pkts bytes target     prot opt in     out     source               destination
No matches found for 43.250.242.xxx in ip6tables

Answer 1

You can't block these connections in iptables, because those IP addresses do not connect to your server. Instead, they connect to CloudFlare, and CloudFlare connects to your server. Because of this, iptables can only see the CloudFlare IP addresses.

Instead, you need to use IP address controls provided by your web server software or by CloudFlare.