Resolved Refined question on how to force all traffic through Cloudflare

[David Jimenez]

I asked a previous question regarding turning on a firewall in Plesk, which I have since done; however, I get an error message when I try to apply the rule change to the firewall. So, I am hoping that someone here can give me some guidance on what I am doing wrong.

Background: since we started aggressively publishing information from our aerospace and defense team, we have been hit regularly by hackers from the Ukraine and China. To combat this, we added Cloudflare between the Internet and our web server (email server is a separate box). That worked very well with a few page rules and some captchas. The problem is that only inquiries using nameservers go through Cloudflare.

So, the Chinese are now wise to that and are hitting us by using our origin IP address directly. So, it was suggested by Cloudflare that we turn on the Plesk firewall and only accept traffic from the Cloudflare IP addresses.

My approach was to select the WWW Server option in the firewall and then change the settings from Allow Incoming from All to Allow from selected sources, deny from others. I then entered all the IP addresses used by Cloudflare and hit OK, then hit Apply Changes and then Activate.

Unfortunately, when I do that, I get the following warning: Warning: The current configuration has not been activated. The system has been reverted to the previous configuration. This has occured because there were connection problems between your browser and the server. Most probably, the reason is that you have arranged the configuration so that connections from your computer to the server are prohibited.

So, I clearly am doing something wrong. I have administrative privileges, so that can't be the issue. Thoughts?

 

[UFHH01]

Hi David Jimenez,

at your modification process, did you include as well YOUR current computer IP?

Most probably, the reason is that you have arranged the configuration so that connections from your computer to the server are prohibited.

If you deny traffic from your own current computer IP in the desired upcoming iptables, you will immidiately stop all traffic between your computer IP and the server and the current process of you modification could never be confirmed ( and as a result being saved! ), because you locked yourself out to comminucate with your server's IP.

But as stated before in your other thread ( I still wondern why you opened a NEW thread with the very same issue ), your modification will result in issues/errors/problems on your server. I still recommend to use Fail2Ban ( maybe with some additional filter - modifications but at least with the "recidive" - jail activated! ), in order to avoid these upcoming issues/errors/problems, reducing the traffic through Cloudflare - IPs only.

 

[David Jimenez]

Yes, my IP address is in the list. I just didn't include it in the post so as to protect my security. I understand you point, but it was my impression that using a simple firewall rule would work fine or should in theory. If you are saying that I cannot accomplish my goal with firewall, then I will move on to Fail2Ban. I did read about it and it sounded like overkill, but if that is the only (or best) solution, I will go that way. Thanks

 

[David Jimenez]

Let me rephrase. Is there a way to force all traffic (domain name and IP address) through Cloudflare?

 

[UFHH01]

Hi David Jimenez,

Is there a way to force all traffic (domain name and IP address) through Cloudflare?

I don't know any way to achieve your goal, without issues/errors and problems.


If you desire to do that on your very own risk, just connect as user "root" over SSH and insert the desired rules manually to your iptables, but be aware, that you will get disconnected as soon as you put in rules, which deny your current connection between your computer and your server.

 

[David Jimenez]

OK, thanks. If it isn't possible, so be it. Thanks for helping.

 

[David Jimenez]

Just wanted to raise a point of warning. If you are on a Network Solutions VPS, as I am, you may have issues with running both Plesk Firewall and Fail2Ban. The numiptent is set at 128 and they will not increase this value. So, you run out of that resource very quickly. We had to ditch the firewall and Fail2Ban in order to setup iptables.