Search Our Database

Automatically update Cloudflare IP ranges using Cron and IPtables without overwriting Custom Rules

Last updated on |
under
Firewall, Linux, Networking & Security
|
by

Introduction

Maintaining a secure server environment often includes restricting inbound traffic to trusted IP addresses. One common security practice is to allow traffic only from Cloudflare IP ranges to protect web servers behind Cloudflare’s CDN and security services. While Cloudflare’s IP ranges do not change frequently, missing an update when they do change could leave the server exposed or cause legitimate traffic to be blocked.

To address this, system administrators can automate the process of checking for Cloudflare IP range updates and dynamically appending new entries to the IPtables firewall configuration. However, this automation should also ensure that existing custom IP rules, such as manually added server IPs, are preserved and not overwritten.

This guide is essential for system administrators, DevOps engineers, and security teams managing servers protected by Cloudflare, especially those looking to automate IP whitelist updates without the risk of removing other necessary IP rules. It is applicable to Linux-based servers that utilize IPtables for firewall management.

The article will explain how to create a script that:

  • Checks for updates to Cloudflare’s official IP range list.
  • Adds any newly listed IP addresses to IPtables.
  • Ensures existing IP rules, including custom manual entries, are retained.

By automating this process, organizations can improve security posture while reducing manual workload and minimizing the risk of downtime due to missing IP whitelisting updates.

Common challenges addressed by this guide include:

  • Preventing accidental removal of manually added IP addresses.
  • Handling cases where Cloudflare updates IP ranges infrequently.
  • Ensuring idempotency so the script does not add duplicate rules upon each run.

 

Prerequisites

  • A Linux server (Ubuntu 20.04+, CentOS 7+, or similar).
  • IPtables installed and actively managing firewall rules.
  • curl and grep packages installed.
  • Basic knowledge of shell scripting and cron jobs.
  • Access to root or a user with sudo privileges.

 

Step-by-step Guide

Step 1: Create the Cloudflare IP Update Script

Create a shell script that fetches Cloudflare’s IP ranges and compares them against existing IPtables rules before appending new entries.

nano /usr/local/bin/update-cloudflare-iptables.sh

Add the following script:

#!/bin/bash

CF_IPV4_URL="https://www.cloudflare.com/ips-v4"
CF_IPV6_URL="https://www.cloudflare.com/ips-v6"

EXISTING_RULES=$(iptables -S)

for IP in $(curl -s $CF_IPV4_URL; curl -s $CF_IPV6_URL); do
    if ! echo "$EXISTING_RULES" | grep -q "$IP"; then
        iptables -I INPUT -p tcp -s $IP --dport 80 -j ACCEPT
        iptables -I INPUT -p tcp -s $IP --dport 443 -j ACCEPT
        echo "Added IP: $IP"
    else
        echo "IP already exists: $IP"
    fi
done

Make the script executable:

chmod +x /usr/local/bin/update-cloudflare-iptables.sh

 

The script above only appends missing Cloudflare IPs without flushing existing rules, ensuring manually added IPs (e.g., internal server IPs) are retained.

🖊️ Tip: Avoid using iptables -F or iptables -X inside this script, as those commands flush existing rules.

 

 

Step 2: Set Up a Cron Job to Automate the Script

Open the crontab for editing:

crontab -e

Add the following line to run the script daily for example at 2 AM:

0 2 * * * /usr/local/bin/update-cloudflare-iptables.sh >> /var/log/cloudflare-iptables-update.log 2>&1

 

Step 3: Verify IPtables Rules After Execution

Run the script manually to ensure it functions as expected:

/usr/local/bin/update-cloudflare-iptables.sh

Then check the IPtables rules:

iptables -S | grep -E '80|443'

 

 

Step 4: Make IPtables Changes Persistent

On Ubuntu with iptables-persistent:

apt install iptables-persistent
netfilter-persistent save

On CentOS/RHEL systems:

service iptables save
🖊️ Tip: Always back up your existing IPtables rules before running new scripts or automation.

 

 

Additional Reference

For further context on securing your server by only allowing Cloudflare IPs using IPtables, refer to the following guide:

Securing Server by Only Allow Cloudflare IPs using Iptables

 

Conclusion

This guide outlines how to automate the process of updating Cloudflare’s IP ranges in IPtables while ensuring that existing manual rules remain intact. By running this check via a cron job, administrators can maintain an updated and secure IP whitelist with minimal manual intervention.

For further reading, consider exploring related guides on firewall best practices or integrating Cloudflare with your web server stack.

Should you have any inquiries about the guidelines, please feel free to open a ticket through your portal account or contact us at support@ipserverone.com. We’ll be happy to assist you further.

Related Article

Related Posts