How To Secure your server using UFW and Cloudflare

This guide will help you use UFW (uncomplicated firewall) to block all traffic to your server other than traffic coming via Cloudflare, or for essential operations such as FTP and SSH.

Why would you want to do this?

Cloudflare will protect your site from all manner of attacks. However, your server may still be vulnerable. By closing ports down to everyone but CloudFlare, you will hopefully protect yourself further. Cloudflare offers Argo as a solution to combat this, which effectively does the same thing, blocks all traffic except Cloudflare’s. Argo costs at least $5 a month per domain. UFW is free, however, does nothing against DDOS attacks. You’ll want to make sure that the DNS Zones for websites hosted on the server we’re about to lock down are protected by Cloudflare, i.e. have the orange cloud rather than the grey one.

How can I set up UFW?

First, you’ll need to be running Debian or Ubuntu. I recommend (and use) DigitalOcean. For $100 free credit over 60 days, sign up using this link (I get $25 when you have spent $25).

UFW is usually installed by default. You can check using:

1sudo ufw status
    

      
Copied!
      
      
    
    sudo ufw status

    

If it isn’t installed you can install it by running this command:

1sudo apt-get install ufw
    

      
Copied!
      
      
    
    sudo apt-get install ufw

    

Before anything else, make sure you won’t lock yourself out, by opening up your SSH port:

1sudo ufw allow ssh
    

      
Copied!
      
      
    
    sudo ufw allow ssh

    

If your SSH is not running on the default port 22, then run:

1sudo ufw allow 1234/tcp
    

      
Copied!
      
      
    
    sudo ufw allow 1234/tcp

    

Replace 1234 with the SSH port number.

Now allow anything else that runs on your server, like FTP:

1sudo ufw allow ftp
    

      
Copied!
      
      
    
    sudo ufw allow ftp

    

But not the web ports (80, 443) – we’re getting to that.

Cloudflare publishes the IP addresses of its servers online.

Without further ado, copy and paste the following into your terminal:

This allows all connections from <ip address>, to anything on port <port>.

 1sudo ufw allow from 173.245.48.0/20 to any port http
 2sudo ufw allow from 103.21.244.0/22 to any port http
 3sudo ufw allow from 103.22.200.0/22 to any port http
 4sudo ufw allow from 103.31.4.0/22 to any port http
 5sudo ufw allow from 141.101.64.0/18 to any port http
 6sudo ufw allow from 108.162.192.0/18 to any port http
 7sudo ufw allow from 190.93.240.0/20 to any port http
 8sudo ufw allow from 188.114.96.0/20 to any port http
 9sudo ufw allow from 197.234.240.0/22 to any port http
10sudo ufw allow from 198.41.128.0/17 to any port http
11sudo ufw allow from 162.158.0.0/15 to any port http
12sudo ufw allow from 104.16.0.0/12 to any port http
13sudo ufw allow from 172.64.0.0/13 to any port http
14sudo ufw allow from 131.0.72.0/22 to any port http
    

      
Copied!
      
      
    
    sudo ufw allow from 173.245.48.0/20 to any port http
sudo ufw allow from 103.21.244.0/22 to any port http
sudo ufw allow from 103.22.200.0/22 to any port http
sudo ufw allow from 103.31.4.0/22 to any port http
sudo ufw allow from 141.101.64.0/18 to any port http
sudo ufw allow from 108.162.192.0/18 to any port http
sudo ufw allow from 190.93.240.0/20 to any port http
sudo ufw allow from 188.114.96.0/20 to any port http
sudo ufw allow from 197.234.240.0/22 to any port http
sudo ufw allow from 198.41.128.0/17 to any port http
sudo ufw allow from 162.158.0.0/15 to any port http
sudo ufw allow from 104.16.0.0/12 to any port http
sudo ufw allow from 172.64.0.0/13 to any port http
sudo ufw allow from 131.0.72.0/22 to any port http

    

If you also use IPv6, also copy the following:

1sudo ufw allow from 2400:cb00::/32 to any port http
2sudo ufw allow from 2606:4700::/32 to any port http
3sudo ufw allow from 2803:f800::/32 to any port http
4sudo ufw allow from 2405:b500::/32 to any port http
5sudo ufw allow from 2405:8100::/32 to any port http
6sudo ufw allow from 2a06:98c0::/29 to any port http
7sudo ufw allow from 2c0f:f248::/32 to any port http
    

      
Copied!
      
      
    
    sudo ufw allow from 2400:cb00::/32 to any port http
sudo ufw allow from 2606:4700::/32 to any port http
sudo ufw allow from 2803:f800::/32 to any port http
sudo ufw allow from 2405:b500::/32 to any port http
sudo ufw allow from 2405:8100::/32 to any port http
sudo ufw allow from 2a06:98c0::/29 to any port http
sudo ufw allow from 2c0f:f248::/32 to any port http

    

If you use HTTPS, also do the following:

 1sudo ufw allow from 173.245.48.0/20 to any port https
 2sudo ufw allow from 103.21.244.0/22 to any port https
 3sudo ufw allow from 103.22.200.0/22 to any port https
 4sudo ufw allow from 103.31.4.0/22 to any port https
 5sudo ufw allow from 141.101.64.0/18 to any port https
 6sudo ufw allow from 108.162.192.0/18 to any port https
 7sudo ufw allow from 190.93.240.0/20 to any port https
 8sudo ufw allow from 188.114.96.0/20 to any port https
 9sudo ufw allow from 197.234.240.0/22 to any port https
10sudo ufw allow from 198.41.128.0/17 to any port https
11sudo ufw allow from 162.158.0.0/15 to any port https
12sudo ufw allow from 104.16.0.0/12 to any port https
13sudo ufw allow from 172.64.0.0/13 to any port https
14sudo ufw allow from 131.0.72.0/22 to any port https
    

      
Copied!
      
      
    
    sudo ufw allow from 173.245.48.0/20 to any port https
sudo ufw allow from 103.21.244.0/22 to any port https
sudo ufw allow from 103.22.200.0/22 to any port https
sudo ufw allow from 103.31.4.0/22 to any port https
sudo ufw allow from 141.101.64.0/18 to any port https
sudo ufw allow from 108.162.192.0/18 to any port https
sudo ufw allow from 190.93.240.0/20 to any port https
sudo ufw allow from 188.114.96.0/20 to any port https
sudo ufw allow from 197.234.240.0/22 to any port https
sudo ufw allow from 198.41.128.0/17 to any port https
sudo ufw allow from 162.158.0.0/15 to any port https
sudo ufw allow from 104.16.0.0/12 to any port https
sudo ufw allow from 172.64.0.0/13 to any port https
sudo ufw allow from 131.0.72.0/22 to any port https

    

And for HTTPS and IPv6:

1sudo ufw allow from 2400:cb00::/32 to any port https
2sudo ufw allow from 2606:4700::/32 to any port https
3sudo ufw allow from 2803:f800::/32 to any port https
4sudo ufw allow from 2405:b500::/32 to any port https
5sudo ufw allow from 2405:8100::/32 to any port https
6sudo ufw allow from 2a06:98c0::/29 to any port https
7sudo ufw allow from 2c0f:f248::/32 to any port https
    

      
Copied!
      
      
    
    sudo ufw allow from 2400:cb00::/32 to any port https
sudo ufw allow from 2606:4700::/32 to any port https
sudo ufw allow from 2803:f800::/32 to any port https
sudo ufw allow from 2405:b500::/32 to any port https
sudo ufw allow from 2405:8100::/32 to any port https
sudo ufw allow from 2a06:98c0::/29 to any port https
sudo ufw allow from 2c0f:f248::/32 to any port https

    

Run the following to enable UFW:

1sudo ufw enable
    

      
Copied!
      
      
    
    sudo ufw enable

    

Run this to check UFW’s status:

1sudo ufw status
    

      
Copied!
      
      
    
    sudo ufw status

    

Now, nobody can access your websites without going through Cloudflare. And nobody can access your server through ports which don’t have ALLOW written next to them.