This topic assumes you are running a Linux-based operating system with iptables.
From Hosting Provider
Change your nameserver’s to match CloudFlare’s.
Set your A record in CloudFlare to point to your real IP address.
Set any CNAME records, like “www”, which you use as aliases.
Manage your Crypto to Full if you’re using your own solution.
From your Server
Run the following Shell script
#!/bin/bash iptables -A INPUT -p tcp --dport http -j REJECT --reject-with tcp-reset iptables -A INPUT -p tcp --dport https -j REJECT --reject-with tcp-reset for x in $(curl https://www.cloudflare.com/ips-v4); do iptables -I INPUT -p tcp -m multiport --dports http,https -s "$x" -j ACCEPT done for x in $(curl https://www.cloudflare.com/ips-v6); do ip6tables -I INPUT -p tcp -m multiport --dports http,https -s "$x" -j ACCEPT done
Now, try to access your site from the real IP address. It should be blocked via TCP reset. If not, you’re doing something wrong and people could correlate your real IP address to your CloudFlare-protected site.
Setting this up to run via init script is also highly recommended. Otherwise you may reboot with all settings lost.