Learn to utilize IP Access Rules to restrict, challenge, or allow traffic to your site.
Overview
IP Access Rules are commonly used to block or challenge suspected malicious traffic. Another common use of IP Access Rules is to allow services that regularly access your site (APIs, crawlers, payment providers, etc). IP Access Rules allow allowlist, block, and challenge actions for traffic based on the visitor's IP address, country, or AS number.
There are four configurable actions for an IP Access Rule:
- Allowlist: Excludes visitors from all security checks (Browser Integrity Check, I'm Under Attack Mode, the WAF, etc). This is useful if a trusted visitor is blocked by Cloudflare's default security features. Allowlist takes precedence over block.
- JavaScript Challenge: Presents the I'm Under Attack Mode interstitial page to visitors. Requires a visitor's browser or client to support JavaScript. Useful for blocking DDoS attacks with minimal impact to legitimate visitors.
- Challenge: Requires the visitor to complete a CAPTCHA before visiting your site. Prevents bots from accessing the site.
- Block: Prevents a visitor from visiting your site.
Add an IP Access Rule
To create an IP Access Rule, follow these steps:
- Log in to your Cloudflare account.
- Select your domain.
- Click the Firewall app.
- Click on the Tools tab.
- Under IP Access Rules, enter the following details:
- Enter the Value as an IP, IP range, or two-letter country code.
- Select an Action.
- Select whether the rule applies to This website or All websites in the account.
- (Optional) add a Note (i.e. Payment Gateway).
- Click Add.
Also, you can programmatically block or trust IPs via the Cloudflare API. Cloudflare supports use of fail2ban to block IPs on your server. However, to prevent fail2ban from inadvertently blocking Cloudflare IPs and causing errors for some visitors, ensure you restore original visitor IP in your origin server logs.
Types of Access Rules
There are several types of Access Rules:
Type | Example Value |
IPv4 address | 192.0.2.3 |
IPv4 /24 range | 192.0.2.0/24 |
IPv4 /16 range | 192.0.0.0/16 |
IPv6 address | 2001:db8:: |
IPv6 address range | 2001:db8::/48, 2001:db8::/64 |
Country (by name or code) | US, germany, tor, CN |
Autonomous System Number (ASN) | AS13335 |
IPs globally allowed by Cloudflare override a Country block via IP Access Rules but not a Country block via Firewall Rules.
Address range examples
CIDR | Start of range (example) | End of range (example) | Number of addresses |
/64 | 2001:db8:: | 2001:db8:0000:0000:ffff:ffff:ffff:ffff | 18,446,744,073,709,551,616 |
/48 | 2001:db8:: | 2001:db8:0000:ffff:ffff:ffff:ffff:ffff | 1,208,925,819,614,629,174,706,176 |
/32 | 2001:db8:: | 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff | 79,228,162,514,264,337,593,543,950,336 |
/24 | 192.1.2.0 | 192.1.2.255 | 256 |
/16 | 192.1.0.0 | 192.1.255.255 | 65,536 |
IP Access Rule limits
Accounts are limited to a maximum of 50,000 rules. Enterprise customers can request increased rule limits via their Account Team. Block by country is only available on the Enterprise plan
Two-letter country codes
Below is a full list of the two letter country codes in ISO 3166-1 Alpha 2 format needed to create Access Rules for the IP Firewall:
Cloudflare also uses T1 (not an ISO code) for Tor exit nodes.
Afghanistan | AF |
Åland Islands | AX |
Albania | AL |
Algeria | DZ |
American Samoa | AS |
Andorra | AD |
Angola | AO |
Anguilla | AI |
Antarctica | AQ |
Antigua and Barbuda | AG |
Argentina | AR |
Armenia | AM |
Aruba | AW |
Australia | AU |
Austria | AT |
Azerbaijan | AZ |
Bahamas | BS |
Bahrain | BH |
Bangladesh | BD |
Barbados | BB |
Belarus | BY |
Belgium | BE |
Belize | BZ |
Benin | BJ |
Bermuda | BM |
Bhutan | BT |
Bolivia, Plurinational State of | BO |
Bonaire, Sint Eustatius and Saba | BQ |
Bosnia and Herzegovina | BA |
Botswana | BW |
Bouvet Island | BV |
Brazil | BR |
British Indian Ocean Territory | IO |
Brunei Darussalam | BN |
Bulgaria | BG |
Burkina Faso | BF |
Burundi | BI |
Cambodia | KH |
Cameroon | CM |
Canada | CA |
Cape Verde | CV |
Cayman Islands | KY |
Central African Republic | CF |
Chad | TD |
Chile | CL |
China | CN |
Christmas Island | CX |
Cocos (Keeling) Islands | CC |
Colombia | CO |
Comoros | KM |
Congo | CG |
Congo, the Democratic Republic of the | CD |
Cook Islands | CK |
Costa Rica | CR |
Côte d'Ivoire | CI |
Croatia | HR |
Cuba | CU |
Curaçao | CW |
Cyprus | CY |
Czech Republic | CZ |
Denmark | DK |
Djibouti | DJ |
Dominica | DM |
Dominican Republic | DO |
Ecuador | EC |
Egypt | EG |
El Salvador | SV |
Equatorial Guinea | GQ |
Eritrea | ER |
Estonia | EE |
Ethiopia | ET |
Falkland Islands (Malvinas) | FK |
Faroe Islands | FO |
Fiji | FJ |
Finland | FI |
France | FR |
French Guiana | GF |
French Polynesia | PF |
French Southern Territories | TF |
Gabon | GA |
Gambia | GM |
Georgia | GE |
Germany | DE |
Ghana | GH |
Gibraltar | GI |
Greece | GR |
Greenland | GL |
Grenada | GD |
Guadeloupe | GP |
Guam | GU |
Guatemala | GT |
Guernsey | GG |
Guinea | GN |
Guinea-Bissau | GW |
Guyana | GY |
Haiti | HT |
Heard Island and McDonald Islands | HM |
Holy See (Vatican City State) | VA |
Honduras | HN |
Hong Kong | HK |
Hungary | HU |
Iceland | IS |
India | IN |
Indonesia | ID |
Iran, Islamic Republic of | IR |
Iraq | IQ |
Ireland | IE |
Isle of Man | IM |
Israel | IL |
Italy | IT |
Jamaica | JM |
Japan | JP |
Jersey | JE |
Jordan | JO |
Kazakhstan | KZ |
Kenya | KE |
Kiribati | KI |
Korea, Democratic People's Republic of | KP |
Korea, Republic of | KR |
Kuwait | KW |
Kyrgyzstan | KG |
Lao People's Democratic Republic | LA |
Latvia | LV |
Lebanon | LB |
Lesotho | LS |
Liberia | LR |
Libya | LY |
Liechtenstein | LI |
Lithuania | LT |
Luxembourg | LU |
Macao | MO |
Macedonia, the Former Yugoslav Republic of | MK |
Madagascar | MG |
Malawi | MW |
Malaysia | MY |
Maldives | MV |
Mali | ML |
Malta | MT |
Marshall Islands | MH |
Martinique | MQ |
Mauritania | MR |
Mauritius | MU |
Mayotte | YT |
Mexico | MX |
Micronesia, Federated States of | FM |
Moldova, Republic of | MD |
Monaco | MC |
Mongolia | MN |
Montenegro | ME |
Montserrat | MS |
Morocco | MA |
Mozambique | MZ |
Myanmar | MM |
Namibia | NA |
Nauru | NR |
Nepal | NP |
Netherlands | NL |
New Caledonia | NC |
New Zealand | NZ |
Nicaragua | NI |
Niger | NE |
Nigeria | NG |
Niue | NU |
Norfolk Island | NF |
Northern Mariana Islands | MP |
Norway | NO |
Oman | OM |
Pakistan | PK |
Palau | PW |
Palestine, State of | PS |
Panama | PA |
Papua New Guinea | PG |
Paraguay | PY |
Peru | PE |
Philippines | PH |
Pitcairn | PN |
Poland | PL |
Portugal | PT |
Puerto Rico | PR |
Qatar | QA |
Réunion | RE |
Romania | RO |
Russian Federation | RU |
Rwanda | RW |
Saint Barthélemy | BL |
Saint Helena, Ascension and Tristan da Cunha | SH |
Saint Kitts and Nevis | KN |
Saint Lucia | LC |
Saint Martin (French part) | MF |
Saint Pierre and Miquelon | PM |
Saint Vincent and the Grenadines | VC |
Samoa | WS |
San Marino | SM |
Sao Tome and Principe | ST |
Saudi Arabia | SA |
Senegal | SN |
Serbia | RS |
Seychelles | SC |
Sierra Leone | SL |
Singapore | SG |
Sint Maarten (Dutch part) | SX |
Slovakia | SK |
Slovenia | SI |
Solomon Islands | SB |
Somalia | SO |
South Africa | ZA |
South Georgia and the South Sandwich Islands | GS |
South Sudan | SS |
Spain | ES |
Sri Lanka | LK |
Sudan | SD |
Suriname | SR |
Svalbard and Jan Mayen | SJ |
Swaziland | SZ |
Sweden | SE |
Switzerland | CH |
Syryan Arab Republic | SY |
Taiwan, Province of China | TW |
Tajikistan | TJ |
Tanzania, United Republic of | TZ |
Thailand | TH |
Timor-Leste | TL |
Togo | TG |
Tokelau | TK |
Tonga | TO |
Trinidad and Tobago | TT |
Tunisia | TN |
Turkey | TR |
Turkmenistan | TM |
Turks and Caicos Islands | TC |
Tuvalu | TV |
Uganda | UG |
Ukraine | UA |
United Arab Emirates | AE |
United Kingdom | GB |
United States | US |
United States Minor Outlying Islands | UM |
Uruguay | UY |
Uzbekistan | UZ |
Vanuatu | VU |
Venezuela, Bolivarian Republic of | VE |
Vietnam | VN |
Virgin Islands, British | VG |
Virgin Islands, U.S. | VI |
Wallis and Futuna | WF |
Western Sahara | EH |
Yemen | YE |
Zambia | ZM |
Zimbabwe | ZW |
Unknown/reserved | XX |