This topic assumes you are running a Linux-based operating system with iptables.
From Hosting Provider
Change your nameserver’s to match CloudFlare’s.
From CloudFlare
Set your A record in CloudFlare to point to your real IP address.
Set any CNAME records, like “www”, which you use as aliases.
Manage your Crypto to Full if you’re using your own solution.
From your Server
Run the following Shell script
#!/bin/bash
iptables -A INPUT -p tcp --dport http -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp --dport https -j REJECT --reject-with tcp-reset
for x in $(curl https://www.cloudflare.com/ips-v4); do
iptables -I INPUT -p tcp -m multiport --dports http,https -s "$x" -j ACCEPT
done
for x in $(curl https://www.cloudflare.com/ips-v6); do
ip6tables -I INPUT -p tcp -m multiport --dports http,https -s "$x" -j ACCEPT
done
Now, try to access your site from the real IP address. It should be blocked via TCP reset. If not, you’re doing something wrong and people could correlate your real IP address to your CloudFlare-protected site.
Setting this up to run via init script is also highly recommended. Otherwise you may reboot with all settings lost.