Adding Cloudflare IPv4 Addresses to CentOS v7 Firewall

So, whenever you build a server, you will inevitably have to configure the firewall to provide secure access to various service providers and other servers.

One of the providers I find myself frequently configuring is CloudFlare (https://www.cloudflare.com). The helpfully publish a list of the IP addresses which their services and servers use at https://www.cloudflare.com/ips/. To help those of us who use CentOS v7 (this will also work on other linux distributions which make use of the Firewall Daemon (https://www.firewalld.org), and the new-ish Firewall Daemon, I have put together a list of the commands, pre-populated with the current IPv4 addresses from CloudFlare.

Before you run any of these or any commands, you should be sure they will do what you would like to do and that they will not hand control of the server, app, or anything else over to someone who you do not want to have access. Only once you are satisfied with that, should you even consider running commands on your server!

firewall-cmd --new-zone=cloudflare --permanent
firewall-cmd --zone=cloudflare --add-source=103.21.244.0/22 --permanent
firewall-cmd --zone=cloudflare --add-source=103.22.200.0/22 --permanent
firewall-cmd --zone=cloudflare --add-source=103.31.4.0/22 --permanent
firewall-cmd --zone=cloudflare --add-source=104.16.0.0/12 --permanent
firewall-cmd --zone=cloudflare --add-source=108.162.192.0/18 --permanent
firewall-cmd --zone=cloudflare --add-source=131.0.72.0/22 --permanent
firewall-cmd --zone=cloudflare --add-source=141.101.64.0/18 --permanent
firewall-cmd --zone=cloudflare --add-source=162.158.0.0/15 --permanent
firewall-cmd --zone=cloudflare --add-source=172.64.0.0/13 --permanent
firewall-cmd --zone=cloudflare --add-source=173.245.48.0/20 --permanent
firewall-cmd --zone=cloudflare --add-source=188.114.96.0/20 --permanent
firewall-cmd --zone=cloudflare --add-source=190.93.240.0/20 --permanent
firewall-cmd --zone=cloudflare --add-source=197.234.240.0/22 --permanent
firewall-cmd --zone=cloudflare --add-source=198.41.128.0/17 --permanent
firewall-cmd --zone=cloudflare --add-port=80/tcp --permanent
firewall-cmd --zone=cloudflare --add-port=443/tcp --permanent

The above commands will add the various CloudFlare IPv4 addresses (the list is up to date as of May 1st, 2018, you should check this list is up to date before running it!) and open the two ports used for HTTP and HTTPS, allowing CloudFlare and only CloudFlare to communicate with your web server. This helps to ensure the security and safety of your servers, especially if this is the only service they are exposing to the wider Internet.

If you are securing your website server, then you should also consider securing the access solution for your server, either SSH or Remote Desktop, depending on whether or not you are using MacOS, Linux, or Windows. Securing this, so that it can only be accessed by a limited number of IP (v4 and v6) addresses, meaning it is considerably more difficult for those with ill intentions to gain access to the server.