Here’s a clean, idempotent, copy-paste-safe script that:
• fetches current Cloudflare IPv4 + IPv6 ranges
• removes any existing Cloudflare-related UFW rules
• re-adds only Cloudflare-scoped 80/443 rules
• does not touch SSH or your custom ports
• can be safely re-run anytime
0) /usr/local/sbin/ufw-cloudflare-sync.sh
#!/usr/bin/env bash set -euo pipefail CF_IPV4_URL="https://www.cloudflare.com/ips-v4" CF_IPV6_URL="https://www.cloudflare.com/ips-v6" echo "Fetching Cloudflare IP ranges..." CF_IPV4=$(curl -fsSL "$CF_IPV4_URL") CF_IPV6=$(curl -fsSL "$CF_IPV6_URL") echo "Removing existing Cloudflare HTTP/HTTPS rules..." # Remove previous CF rules (80/443 only) ufw status numbered | \ grep -E '80/tcp|443/tcp' | \ grep -E 'ALLOW IN' | \ grep -E 'Cloudflare|cf' || true # Remove by rule number (reverse order to keep numbering stable) ufw status numbered | \ grep -E '80/tcp|443/tcp' | \ awk -F'[][]' '{print $2}' | \ sort -rn | \ while read -r num; do ufw delete "$num" done echo "Adding Cloudflare IPv4 rules..." for ip in $CF_IPV4; do ufw allow from "$ip" to any port 80 proto tcp comment 'Cloudflare HTTP' ufw allow from "$ip" to any port 443 proto tcp comment 'Cloudflare HTTPS' done echo "Adding Cloudflare IPv6 rules..." for ip in $CF_IPV6; do ufw allow from "$ip" to any port 80 proto tcp comment 'Cloudflare HTTP' ufw allow from "$ip" to any port 443 proto tcp comment 'Cloudflare HTTPS' done ufw reload echo "Done. Cloudflare-only HTTP/HTTPS rules updated."
1) Install & use
sudo nano /usr/local/sbin/ufw-cloudflare-sync.sh sudo chmod +x /usr/local/sbin/ufw-cloudflare-sync.sh sudo /usr/local/sbin/ufw-cloudflare-sync.sh
2) Cloudflare changes IP ranges rarely, but this is safe:
sudo crontab -e3) Add:
0 4 1 * * /usr/local/sbin/ufw-cloudflare-sync.sh >/dev/null 2>&1
4) Final sanity check
sudo ufw status verbose
- Log in to post comments
- Copy all the steps