Update DigitalOcean Firewalls with CloudFlare IPs

A little script to update DigitalOcean firewalls with official CloudFlare IPs.

This is useful to protect your backends against direct DoS and DDoS attacks on ports 80 and 443.

Table of Contents

• Warning
• How to install
• Example
• Make cron

Warning

All Inbound Rules with type = HTTP or type = HTTPS of each Firewall will be overwritten.

How to install

1. git clone https://github.com/offensive-hub/digitalocean-firewall.git
2. cd digitalocean-firewall
3. sudo apt-get install python-pip && sudo pip install -U -r requirements.txt
4. cp .env.example .env && chmod 600 .env
5. Write right Digital Ocean Access Token in .env file

Example

1. Create an Inbound Rule with type=HTTP or type=HTTPS as following:
2. Execute ./update-firewalls.py
3. Now you have two new Inbound Rules containing the official CloudFlare IPs:

Make cron

It would be useful to make a cron, which update the firewalls every X time.

If you want that, follow these instructions:

1. crontab -e
2. Paste the following code at the end of file:

   # [00:00] Update DigitalOcean Firewalls with CloudFlare IPs
   0 0 * * * /path/to/digitalocean-firewall/update-firewalls.py
   

3. Edit /path/to/ with your real path
4. Now your server will automatically update DigitalOcean Firewalls every day at midnight! :)

Authors

• Fabrizio Fubelli

Thanks to

• python-digitalocean