{"id":1427,"date":"2020-06-07T02:56:44","date_gmt":"2020-06-06T18:56:44","guid":{"rendered":"https:\/\/www.wesbytes.com\/guide\/?post_type=kb&#038;p=1427"},"modified":"2026-01-12T15:02:39","modified_gmt":"2026-01-12T07:02:39","slug":"how-do-i-whitelist-cloudflares-ip-addresses-in-iptables","status":"publish","type":"kb","link":"https:\/\/www.servergigabit.com\/guide\/kb\/how-do-i-whitelist-cloudflares-ip-addresses-in-iptables","title":{"rendered":"Iptables Essential Tutorial: How to Quickly Whitelist Cloudflare IP Addresses"},"content":{"rendered":"<h4><img fetchpriority=\"high\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/beehiiv-images-production.s3.amazonaws.com\/uploads\/asset\/file\/67dcc8a3-8da1-4292-a847-57e5c4e38539\/overview-e1505295930892.png?t=1685088846\" alt=\"whitelist Cloudflare\u2019s IP addresses in iptables\" width=\"640\" height=\"320\" \/><\/h4>\n<h4>How do I whitelist Cloudflare\u2019s IP addresses in iptables?<\/h4>\n<p><a href=\"https:\/\/www.cloudflare.com\/\" rel=\"nofollow noopener\" target=\"_blank\">Cloudflare<\/a>\u2019s IP ranges can be add to iptables using the following steps below. This should be done to ensure none of our connections will be drop, which could otherwise result in timeouts and other\u00a0<strong>connectivity issues<\/strong>.<\/p>\n<p><strong>IPv4:\u00a0<\/strong>For each of the ranges listed here:\u00a0https:\/\/www.cloudflare.com\/ips-v4\u00a0, you\u2019ll need to enter the following command at the terminal, replacing $ip with one of the\u00a0IPs in the list:<br \/>\n<code>iptables -I INPUT -p tcp -m multiport --dports http,https -s \"$ip\" -j ACCEPT<\/code><\/p>\n<p><strong>IPv6:<\/strong>\u00a0For each of the ranges listed here:\u00a0https:\/\/www.cloudflare.com\/ips-v6\u00a0, you\u2019ll need to enter the following command at the terminal, replacing $ip with one of the IPs in the list:<br \/>\n<code>ip6tables -I INPUT -p tcp -m multiport --dports http,https -s \"$ip\" -j ACCEPT<\/code><\/p>\n<p>An alternative to having a long list of iptables rules for each network range is to use a utility called ipset. If you don\u2019t have this installed on your origin server, you can install it using your package manager.<\/p>\n<p><strong><a href=\"https:\/\/www.servergigabit.com\/\">Debian<\/a>:\u00a0<\/strong>sudo apt-get install ipset<\/p>\n<p>Create an ipset set:<br \/>\nipset create cf hash:net<\/p>\n<p>Now populate the set with Cloudflare IP ranges:<br \/>\nfor x in $(curl\u00a0https:\/\/www.cloudflare.com\/ips-v4); do ipset add cf $x; done<\/p>\n<p><strong>Note:\u00a0<\/strong>The ipset you have create is store in memory and will be gone after reboot by default. Remember to save it and\/or restore it after reboot.<\/p>\n<p>You can use the \u2018cf\u2019 set now in a iptables rule like so:<br \/>\niptables -A INPUT -m set \u2013match-set cf src -p tcp -m multiport \u2013dports http,https -j ACCEPT<\/p>\n<p>Once you run the iptables commands, you will need to save the iptables rules. The top two commands are use for IPv4 and the bottom two for IPv6.<\/p>\n<p><strong><a href=\"https:\/\/www.servergigabit.com\/\">Debian\/Ubuntu<\/a>:<\/strong>\u00a0<code>iptables-save &gt; \/etc\/iptables\/rules.v4<\/code><br \/>\n<strong>RHEL\/CentOS:<\/strong>\u00a0<code>iptables-save &gt; \/etc\/sysconfig\/iptables<\/code><br \/>\n<strong>Debian\/Ubuntu:<\/strong>\u00a0<code>ip6tables-save &gt; \/etc\/iptables\/rules.v6<\/code><br \/>\n<strong>RHEL\/CentOS:<\/strong>\u00a0<code>ip6tables-save &gt; \/etc\/sysconfig\/ip6tables<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>How do I whitelist Cloudflare\u2019s IP addresses in iptables? Cloudflare\u2019s IP ranges can be add to iptables using the following steps below. This should be done to ensure none of our connections will be drop, which could otherwise result in timeouts and other\u00a0connectivity issues. IPv4:\u00a0For each of the ranges listed here:\u00a0https:\/\/www.cloudflare.com\/ips-v4\u00a0, you\u2019ll need to enter the following command at the&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"kbtopic":[43],"kbtag":[1124,1273,1488,1448],"class_list":["post-1427","kb","type-kb","status-publish","hentry","kbtopic-cloudflare","kbtag-cloudflare","kbtag-ip-address","kbtag-iptables","kbtag-whitelist"],"_links":{"self":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1427","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/comments?post=1427"}],"version-history":[{"count":4,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1427\/revisions"}],"predecessor-version":[{"id":6110,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kb\/1427\/revisions\/6110"}],"wp:attachment":[{"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/media?parent=1427"}],"wp:term":[{"taxonomy":"kbtopic","embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kbtopic?post=1427"},{"taxonomy":"kbtag","embeddable":true,"href":"https:\/\/www.servergigabit.com\/guide\/wp-json\/wp\/v2\/kbtag?post=1427"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}