While setting up the server for this blog I stumbled across the problem to whitelist cloudflare’s ip ranges in iptables.
After a quick search I realized a smart and efficient way to do this is using ipset.
Thus I created a script to download the latest Cloudfare’s IPv4 ranges and create an ipset list out of it.
ipset-cloudflare.sh
#!/bin/bash
# Created by antipatico (antipatico.ml)
# Download the latest cloudflare's IPv4 ranges and create an ipset
# named "cloudflare" you can later use in your iptables rules.
IPSV4=$(mktemp)
wget --quiet -O $IPSV4 https://www.cloudflare.com/ips-v4
ipset destroy cloudflare
ipset create cloudflare hash:net
while read -r range; do
ipset add cloudflare $range
done < $IPSV4
rm $IPSV4
ipset list cloudflare
exit 0
After running it you can use it in your iptables rules like this
-A INPUT -p tcp -m tcp --dport 443 -m set --match-set cloudflare src -j ACCEPT