Conflict between Cloudflare & GeoIP blocking for US IPs

velifire · 25 September 2025 23:02

I have a number of services in my home network that I want to expose only in UK. To achieve this I am using

Cloudflare as reverse proxy allowing only Cloudflare IP ranges to reach my services via https;
- CloudFlare is setup to block non-UK originating IPs
- IPFire has a port forwarding rule for a Host Group that covers the Cloudflare IP ranges
IPFire GeoIP block to any non-UK IP addresses so I restrict Roadwarrior access from non-UK IPs

Problem: For Cloudflare reverse proxy does not work if GeoIP IP blocks Country:US and A3 Proxy, hence I have to expose my IPFire to those IP ranges.

I understand in the FORWARD chain, the LOCATIONBLOCK is resolved before the FORWARDFW rules that contain the Cloudflare IP range, hence given the order of processing I have no option from the WebUI but to accept my IPFire is exposed to US & A3 ranges.

Potential Solution: I was thinking pushing the Cloudflare IP check before the location check by…

Manually add Cloudflare IP ranges under the CUSTOMFORWARD rules
Then block US & A3 ranges under GeoIP menu

Would this be a valid approach ? if yes, anything I should be careful about ?

velifire · 28 September 2025 11:36

have experimented with the above by adding Cloudflare IPs in the CUSTOMFORWARD chain, while I have now blocked the US & A3 locations.

Also I realised I need the relevant DNAT entries in the CUSTOMPREROUTING chain

This approach appears to have done what I wanted

GeoBlock all non-UK IPs from reaching IPFire
Allow access to home services via Cloudflare IPs and while using Cloudflare’s GeoBlock against non-UK IP addresses.

I have written a small script that pulls the IPs from Cloudflare API and either adds or removes the cloudflare IPs from the CUSTOMFORWARD & CUSTOMPREROUTING chains. Those CUSTOM chains survive any updates in firewalls rules from the WebUI.

# sh ./cloudflare-port-forward.sh
Usage: ./cloudflare-port-forward.sh [add|del] <destination_ip> <destination_port>

# sh ./cloudflare-port-forward.sh add 192.168.1.152 443

github.com/gvelim/ipfire_wg

cloudflare-port-forward.sh

main

#!/bin/bash
#
# PURPOSE: Automates creation/removal of iptables rules to forward ports for Cloudflare IP ranges
# TECHNICAL OVERVIEW:
#   - Fetches current IPv4 ranges from Cloudflare's public API
#   - Creates two iptables rules per IP range:
#     1. DNAT rule in NAT_DESTINATION chain to redirect traffic to destination
#     2. ACCEPT rule in CUSTOMFORWARD chain to allow forwarded traffic
#   - Uses ppp0 interface IP as RED_IP (redirection target)
#   - Prevents duplicate rules via is_active() function checks
#
# IPFIRE CHAIN INSIGHTS:
#   - NAT_DESTINATION chain exist in nat table
#   - CUSTOMFORWARD chain exist in filter table
#   - NAT_DESTINATION chain is referenced by PREROUTING
#   - CUSTOMFORWARD chain is referenced by FORWARD
#
# USER GUIDE:
# ==========
# SYNOPSIS:

This file has been truncated. show original

nickh · 30 September 2025 13:52

In line with another change recently checked in, can you add the -w switch to your iptables commands?

velifire · 30 September 2025 17:06

Thanks Nick. Noticed the change. I have updated accordingly

velifire · 24 January 2026 09:35

Just to finish this posting, I have now made the changes survive the reboot/restart by adding them into firewall.local (wish I read it earlier)

#!/bin/sh
# Used for private firewall rules

# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here
	sh <abs_path_to>/cloudflare-port-forward.sh add <internal_ip> <port>
        ;;
  stop)
        ## add your 'stop' rules here
	sh <abs_path_to>/cloudflare-port-forward.sh del <internal_ip> <port>
        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac