Question

Why does my IPTables changes not deny access from all IP addresses except CloudFlare’s ranges?

Posted August 8, 2020 97 views
UbuntuFirewallDigitalOcean Cloud FirewallsCDN

Hi. I am running apache on ubuntu 18.04. I used IPtables to deny access from all IP addressed except CloudFlare’s ranges and when I run iptables -L –line-number I get

1 ACCEPT tcp – 131.0.72.0/22 anywhere multiport dports http,https
2 ACCEPT tcp – 172.64.0.0/13 anywhere multiport dports http,https
3 ACCEPT tcp – 104.16.0.0/12 anywhere multiport dports http,https
4 ACCEPT tcp – 162.158.0.0/15 anywhere multiport dports http,https
5 ACCEPT tcp – 198.41.128.0/17 anywhere multiport dports http,https
6 ACCEPT tcp – 197.234.240.0/22 anywhere multiport dports http,https
7 ACCEPT tcp – 188.114.96.0/20 anywhere multiport dports http,https
8 ACCEPT tcp – 190.93.240.0/20 anywhere multiport dports http,https
9 ACCEPT tcp – 108.162.192.0/18 anywhere multiport dports http,https
10 ACCEPT tcp – 141.101.64.0/18 anywhere multiport dports http,https
11 ACCEPT tcp – 103.31.4.0/22 anywhere multiport dports http,https
12 ACCEPT tcp – 103.22.200.0/22 anywhere multiport dports http,https
13 ACCEPT tcp – 103.21.244.0/22 anywhere multiport dports http,https
14 ACCEPT tcp – 173.245.48.0/20 anywhere multiport dports http,https
15 ufw-before-logging-input all – anywhere anywhere
16 ufw-before-input all – anywhere anywhere
17 ufw-after-input all – anywhere anywhere
18 ufw-after-logging-input all – anywhere anywhere
19 ufw-reject-input all – anywhere anywhere
20 ufw-track-input all – anywhere anywhere
21 DROP tcp – anywhere anywhere multiport dports http,https

The exact command I ran was:

sudo iptables -I INPUT -p tcp -m multiport –dports http,https -s 173.245.48.0/20 -j ACCEPT
sudo iptables -I INPUT -p tcp -m multiport –dports http,https -s 103.21.244.0/22 -j ACCEPT
sudo iptables -I INPUT -p tcp -m multiport –dports http,https -s 103.22.200.0/22 -j ACCEPT
sudo iptables -I INPUT -p tcp -m multiport –dports http,https -s 103.31.4.0/22 -j ACCEPT
sudo iptables -I INPUT -p tcp -m multiport –dports http,https -s 141.101.64.0/18 -j ACCEPT
sudo iptables -I INPUT -p tcp -m multiport –dports http,https -s 108.162.192.0/18 -j ACCEPT
sudo iptables -I INPUT -p tcp -m multiport –dports http,https -s 190.93.240.0/20 -j ACCEPT
sudo iptables -I INPUT -p tcp -m multiport –dports http,https -s 188.114.96.0/20 -j ACCEPT
sudo iptables -I INPUT -p tcp -m multiport –dports http,https -s 197.234.240.0/22 -j ACCEPT
sudo iptables -I INPUT -p tcp -m multiport –dports http,https -s 198.41.128.0/17 -j ACCEPT
sudo iptables -I INPUT -p tcp -m multiport –dports http,https -s 162.158.0.0/15 -j ACCEPT
sudo iptables -I INPUT -p tcp -m multiport –dports http,https -s 104.16.0.0/12 -j ACCEPT
sudo iptables -I INPUT -p tcp -m multiport –dports http,https -s 172.64.0.0/13 -j ACCEPT
sudo iptables -I INPUT -p tcp -m multiport –dports http,https -s 131.0.72.0/22 -j ACCEPT

sudo iptables -A INPUT -p tcp -m multiport –dports http,https -j DROP

Why am I still able to access the website from direct Digitalocean droplet IP address? Thanks

Submit an answer

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!