Cloudflare provides 5 firewall rules to free plan users. Users can use firewall rules to create custom policy to filter out unwanted web access traffic so that protect the original hosting server. This post is to share a script I use to update IP list for firewall rules.
For one use case, you want to have Cloudflare only allow yourself to access a website or a particular path ruling out all other traffic knocking the door, you can create strict ‘IP Source Address’ rule for it.
For example, I created a rule that IP source addresses are not in my ‘xfelixip’ list and trying to access my data.example.com will be blocked on Cloudflare firewall.
However, Cloudflare only support IP address or IP subnets items in its IP list. It is not allowed to put a URL, a domain name even they are also managed on Cloudflare. It is not very convenient to manually update IP list if you want to add dynamic ISP assigned your home Internet IP address into the IP list.
If you follow my previous post to update Cloudflare DDNS record, you should already know how to obtain Cloudflare zone ID and API token. The script I created is to update all kind of IP addresses including DDNS record, domain name, IP into one IP list using Cloudflare API.
The first step is to generate an API token. I share the required permission below for reference (maybe excessive).
Once you got the token, you also need the zone ID which can be seen on your dashboard.
Straight to the script.
#!/bin/bash
## Cloudflare authentication details
## keep these private
CF_Token=your_own_token
ZoneID=your_own_zoneid
ListID=your_own_listid
# IP ENV
NewIP=$(dig +short ddns.example.com)
CurrentIP=$(cat /home/pi/currentip.txt)
IP2=$(dig +short ip2.example.com)
IP3='123.123.123.123'
# IP change check
if [ "$NewIP" = "$CurrentIP" ]
then
echo "No IP Address change needed"
else
# update the list item
curl -X PUT "https://api.cloudflare.com/client/v4/accounts/$ZoneID/rules/lists/$ListID/items" \
-H "Authorization: Bearer $CF_Token" \
-H "Content-Type:application/json" \
--data '[{"ip":"'$NewIP'","comment":"DDNS_IP"},{"ip":"'$IP2'","comment":"IP2"},{"ip":"'$IP3'","comment":"IP3"}]'
echo $NewIP > /home/pi/currentip.txt
fi
Someone will question how to get the ListID in the script. It can be obtained through the curl query in the terminal once you have the zoneid and token ready.
curl -X GET "https://api.cloudflare.com/client/v4/accounts/$ZoneID/rules/lists" \
-H "Authorization: Bearer $CF_Token" \
-H "Content-Type:application/json"
Leave a Reply