Update Hetzner Cloud firewall rules with Cloudflare IP ranges
Project description
Update Hetzner Cloud Firewall Rules with Current Cloudflare IP Ranges
Table of Contents
Overview
cf-ips-to-hcloud-fw fetches the current
Cloudflare IP ranges and inserts them into
Hetzner Cloud firewall rules via the
hcloud API.
The networks in incoming firewall rules are replaced with
Cloudflare networks if their description contains __CLOUDFLARE_IPS_V4__,
__CLOUDFLARE_IPS_V6__ or __CLOUDFLARE_IPS__.
| Text in rule description | Cloudflare networks |
|---|---|
__CLOUDFLARE_IPS_V4__ |
IPv4 only |
__CLOUDFLARE_IPS_V6__ |
IPv6 only |
__CLOUDFLARE_IPS__ |
IPv4 + IPv6 |
Having both __CLOUDFLARE_IPS_V4__ and __CLOUDFLARE_IPS_V6__ in a rule
description is equivalent to having __CLOUDFLARE_IPS__ there.
Installation
Using Python
Install cf-ips-to-hcloud-fw
into a virtual environement:
$ python3 -m venv cf-ips-to-hcloud-fw-venv
$ ./cf-ips-to-hcloud-fw-venv/bin/pip3 install cf-ips-to-hcloud-fw
[...]
$ ./cf-ips-to-hcloud-fw-venv/bin/cf-ips-to-hcloud-fw -h
usage: cf-ips-to-hcloud-fw [-h] -c CONFIGFILE [-v] [-d]
Update Hetzner Cloud firewall rules with Cloudflare IP ranges
options:
-h, --help show this help message and exit
-c CONFIGFILE, --config CONFIGFILE
config file
-v, --version show program's version number and exit
-d, --debug
Then call cf-ips-to-hcloud-fw-venv/bin/cf-ips-to-hcloud-fw -c config.yaml
from a cronjob or a systemd timer.
Docker and Kubernetes
Alternatively you can use Docker or a Kubernetes CronJob to run
cf-ips-to-hcloud-fw. Just mount your config file as
/usr/src/app/config.yaml. For example:
docker run --rm \
--mount type=bind,source="$(pwd)"/config.yaml,target=/usr/src/app/config.yaml,readonly \
jkreileder/cf-ips-to-hcloud-fw:1.0
Images are available on:
Configuration
Hetzner Cloud Firewall Preparation
- Insert
__CLOUDFLARE_IPS_V4__,__CLOUDFLARE_IPS_V6__or__CLOUDFLARE_IPS__into the description of any incoming firewall rule where you want to have Cloudflare networks inserted - Create an API token with write permissions for the project containing the firewall
Configuration File
Insert the tokens and names of any firewall you want to update in
config.yaml:
- token: cHJvamVjdGF0b2tlbgAd43 # token for project a
firewalls:
- firewall-1
- firewall-2
- token: cHJvamVjdGJ0b2tlbgDas3 # token for project b
firewalls:
- default
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for cf-ips-to-hcloud-fw-1.0.0.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | e499715b2152817423b5179ad8cb6cf3bf308bd60cd90498f1be2f1b200eb595 |
|
| MD5 | 40932053c0f58787f9ac1b610d1adaa9 |
|
| BLAKE2b-256 | af20063097faee3b9acee516a53a7ce8f95c47413e7d7cbef91eb9241f048540 |
Hashes for cf_ips_to_hcloud_fw-1.0.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | e21b887152cea9d47e4d60a8e23dbd27fd168826070395fb4263e4eb5676c264 |
|
| MD5 | c73cab1544b8d4b73e405436cc49362e |
|
| BLAKE2b-256 | 0413acca876b58c6db56fbb2414e8941989155ca3a3301d24766b63538613000 |
