Docker Container Accessible Only via Cloudflare Cdn (Selected Ip Ranges)

Docker container accessible only via Cloudflare CDN (selected ip ranges)

SOLUTION:

iptables -F DOCKER-USER
iptables -I DOCKER-USER -j RETURN
iptables -I DOCKER-USER -p tcp -m multiport --dports http,https -j DROP
for i in `curl -s https://www.cloudflare.com/ips-v4`;\
        do iptables -I DOCKER-USER -p tcp -i eth0 -m multiport --dports http,https -s $i -j RETURN;\
done
iptables -I DOCKER-USER -o eth0 -d 0.0.0.0/0 -j ACCEPT

Result of iptables -L for DOCKER-USER :

ACCEPT     all  --  anywhere             anywhere
RETURN     tcp  --  <ACCEPTED IPs>       anywhere             multiport dports http,https
DROP       tcp  --  anywhere             anywhere             multiport dports http,https
RETURN     all  --  anywhere             anywhere

Explanation:
First part (ACCEPT) ACCEPTs outgoing traffic from web server (docker container).

Second part (RETURN) describes allowed ip adrresses to connect on port 80 or 443.

Third part (DROP) drop packets of connections on port 80/443, which are NOT listed in RETURN part.

Fourth part (RETURN) is default rule in DOCKER-USER chain. It makes possible to handle connections on other ports by the next rules instead of dropping all connections on non 80/443 port (e.g. port 22 - ssh).

This will also drop any packet of docker container running on port 80/tcp but the port of container is not mapped to host. Creating issue similar to docker, iptables and cloudflare

Docker container accessible only via Cloudflare CDN (selected ip ranges)

SOLUTION:

iptables -F DOCKER-USER
iptables -I DOCKER-USER -j RETURN
iptables -I DOCKER-USER -p tcp -m multiport --dports http,https -j DROP
for i in `curl -s https://www.cloudflare.com/ips-v4`;\
        do iptables -I DOCKER-USER -p tcp -i eth0 -m multiport --dports http,https -s $i -j RETURN;\
done
iptables -I DOCKER-USER -o eth0 -d 0.0.0.0/0 -j ACCEPT

Result of iptables -L for DOCKER-USER :

ACCEPT     all  --  anywhere             anywhere
RETURN     tcp  --  <ACCEPTED IPs>       anywhere             multiport dports http,https
DROP       tcp  --  anywhere             anywhere             multiport dports http,https
RETURN     all  --  anywhere             anywhere

Explanation:
First part (ACCEPT) ACCEPTs outgoing traffic from web server (docker container).

Second part (RETURN) describes allowed ip adrresses to connect on port 80 or 443.

Third part (DROP) drop packets of connections on port 80/443, which are NOT listed in RETURN part.

Fourth part (RETURN) is default rule in DOCKER-USER chain. It makes possible to handle connections on other ports by the next rules instead of dropping all connections on non 80/443 port (e.g. port 22 - ssh).

This will also drop any packet of docker container running on port 80/tcp but the port of container is not mapped to host. Creating issue similar to docker, iptables and cloudflare

How to block countries from server when using cloudflare?

CloudFlare allows you to block certain countries from accessing your website at the CloudFlare level. To do so:

1. Select your domain in your CloudFlare Control Panel
2. Select the "Firewall" tab
3. On the "IP Firewall" tab, you can enter a IP, IP range, or Country and click block.

This will block the country from all your websites on the CloudFlare level, before any attack even hits your server.

If you require to block it with your Nginx solution rather than CloudFlare's firewall for whatever reason, you can look at enabling "IP Geolocation" under the "Network" tab of the Control Panel. This adds the header "HTTP_CF_IPCOUNTRY" to all requests, and will contain the Country Code (I.e US, UK, RU) in the header.

If you need to block any requests based off certain IPs, or perform the IP lookup yourself. Then you should use the default CloudFlare header that is included with every request that holds the client's IP named "CF-Connecting-IP".
For future information, CloudFlare has a good article written here on how they handle their headers.

---

Related Topics