Question

How can I get the “Direct IP access not allowed” Cloudflare page when someone searches for my DigitalOcean droplet IP?

Posted August 7, 2020 1.3k views
IPv6CDN

When I go to websites that find websites IPs like https://ipinfo.info and paste the IP into the browser I get the “ Error 1003 - Direct IP access not allowed” page. However when I go to my DigitalOcean’s droplet’s IP address I see the actual page’s content (example.com) . How would I set it up so for both the IP in the online IP finders and my DigitalOcean’s droplet’s IP both lead to the “ Error 1003 - Direct IP access not allowed” page? Thanks

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

Hi @johnaraon,

How I would approach this is denying access to your website from any other IP addresses directly in your configuration file on your Droplet. Basically, in your WebService (Apache/Nginx) you can deny access from all IP addresses except CloudFlare’s ranges.

If you let me know which WebService you are running, I can provide with some more pointers on how to do so.

Regards,
KFSys

Hey @KFSys. Thanks. I am running apache on ubuntu 18.04. I used IPtables to deny access from all IP addressed except CloudFlare’s ranges and when I run iptables -L –line-number I get

1 ACCEPT tcp – 131.0.72.0/22 anywhere multiport dports http,https
2 ACCEPT tcp – 172.64.0.0/13 anywhere multiport dports http,https
3 ACCEPT tcp – 104.16.0.0/12 anywhere multiport dports http,https
4 ACCEPT tcp – 162.158.0.0/15 anywhere multiport dports http,https
5 ACCEPT tcp – 198.41.128.0/17 anywhere multiport dports http,https
6 ACCEPT tcp – 197.234.240.0/22 anywhere multiport dports http,https
7 ACCEPT tcp – 188.114.96.0/20 anywhere multiport dports http,https
8 ACCEPT tcp – 190.93.240.0/20 anywhere multiport dports http,https
9 ACCEPT tcp – 108.162.192.0/18 anywhere multiport dports http,https
10 ACCEPT tcp – 141.101.64.0/18 anywhere multiport dports http,https
11 ACCEPT tcp – 103.31.4.0/22 anywhere multiport dports http,https
12 ACCEPT tcp – 103.22.200.0/22 anywhere multiport dports http,https
13 ACCEPT tcp – 103.21.244.0/22 anywhere multiport dports http,https
14 ACCEPT tcp – 173.245.48.0/20 anywhere multiport dports http,https
15 ufw-before-logging-input all – anywhere anywhere
16 ufw-before-input all – anywhere anywhere
17 ufw-after-input all – anywhere anywhere
18 ufw-after-logging-input all – anywhere anywhere
19 ufw-reject-input all – anywhere anywhere
20 ufw-track-input all – anywhere anywhere
21 DROP tcp – anywhere anywhere multiport dports http,https

Why am I still able to access the website from direct Digitalocean droplet IP address?

  • Hi @johnaraon,

    It does seem to me like UFW is actually preventing from Iptables to work properly.

    What I’ll recommend is something in the mists of blocking all access to port 80 and 443 like so

    sudo iptables -A INPUT -p tcp --dport 80 -s ! 1.2.3.4 -j DROP
    

    Then enabling only the IPs you’ve added already to ports 80 and 443

    sudo iptables -A INPUT -p tcp -s XXX.XXX.XXX.XXX --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
    

    Where XXX.XXX.XXX.XXX should be the IP address.

    Please remember to save your IPtables rules prior to changing them in case you need to revert back.

    Regards,
    KFSys

Submit an Answer