199.83.128.0/21
198.143.32.0/19
149.126.72.0/21
103.28.248.0/22
45.64.64.0/22
185.11.124.0/22
192.230.64.0/18
107.154.0.0/16
45.60.0.0/16
45.223.0.0/16
2a02:e980::/29
We have converted the above values to simple IP ranges for your convenience:
199.83.128.1 - 199.83.135.254
198.143.32.1 - 198.143.63.254
149.126.72.1 - 149.126.79.254
103.28.248.1 - 103.28.251.254
185.11.124.1 - 185.11.127.254
45.64.64.0 - 45.64.67.255
192.230.64.1 - 192.230.127.254
107.154.0.0 - 107.154.255.254
45.60.0.1 - 45.60.255.254
45.223.0.1 - 45.223.255.254
2a02:e980:0:0:0:0:0:0 - 2a02:e987:ffff:ffff:ffff:ffff:ffff:ffff
This list may change from time to time. We recommend that you subscribe to this item to receive notifications on any future updates. Important Notes:
- If you create such IP restrictions, make sure to back them up if you disable Incapsula on your site or revert your DNS to its original settings.
- Please pay attention to the /21 and /22 networks: For example, the proper range for 149.126.72.0/21 will be 149.126.72.0 - 149.126.79.254
These ranges can be retrieved via API using the following URL:
https://my.incapsula.com/api/integration/v1/ips with parameter resp_format
This will determine the format of the output from one of the following: json | apache | nginx | iptables | text
(for example: curl -k -s --data "resp_format=apache" https://my.incapsula.com/api/integration/v1/ips)
If you do not have access to a network firewall, check out solutions for:
Apache (.htaccess):
order deny,allow
deny from all
allow from 199.83.128.0/21
allow from 198.143.32.0/19
allow from 149.126.72.0/21
allow from 103.28.248.0/22
allow from 185.11.124.0/22
allow from 45.64.64.0/22
allow from 192.230.64.0/18
allow from 107.154.0.0/16
allow from 45.60.0.0/16
allow from 45.223.0.0/16
allow from 2a02:e980::/29
http://support.incapsula.com/entries/20716913-setting-up-htaccess-restrictions
Nginx:
Nginx comes with a simple module called ngx_http_access_module to allow or deny access to IP address.
location / {
# allow Incapsula
allow 199.83.128.0/21;
allow 198.143.32.0/19;
allow 149.126.72.0/21;
allow 103.28.248.0/22;
allow 185.11.124.0/22;
allow 45.64.64.0/22;
allow 192.230.64.0/18;
allow 107.154.0.0/16;
allow 45.60.0.0/16;
allow 45.223.0.0/16;
allow 2a02:e980::/29;
# drop rest of the world
deny all;
}
IPtables:
#Incapsula proxies access restriction
#Allow HTTP (port 80) from Incapsula
iptables -A INPUT -s 199.83.128.0/21 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 198.143.32.0/19 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 149.126.72.0/21 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 103.28.248.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 185.11.124.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 45.64.64.0/22 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 192.230.64.0/18 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 107.154.0.0/16 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 45.60.0.0/16 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 45.223.0.0/16 -p tcp --dport http -j ACCEPT
iptables -A INPUT -s 2a02:e980::/29 -p tcp --dport http -j ACCEPT
#Block HTTP from other sources
iptables -A INPUT -p tcp --dport http -j DROP
#Allow HTTPS (port 443) from Incapsula
iptables -A INPUT -s 199.83.128.0/21 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 198.143.32.0/19 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 149.126.72.0/21 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 103.28.248.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 185.11.124.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 45.64.64.0/22 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 192.230.64.0/18 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 107.154.0.0/16 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 45.60.0.0/16 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 45.223.0.0/16 -p tcp --dport https -j ACCEPT
iptables -A INPUT -s 2a02:e980::/29 -p tcp --dport https -j ACCEPT
#Block HTTPS from other sources
iptables -A INPUT -p tcp --dport https -j DROP
Updated to 2017.
The range 149.126.72.0/21 was added to the Incapsula IP ranges.
Added a new IP for our new Tokyo PoP.
we have added APNIC range : 103.28.248.0/22
Why not set up a page that is always up to date, where clients can cut-and-paste the exact information needed for the .htaccess file?
For that matter, Incapsula already has a WordPress plug-in to sort out the IP confusion that happens with services such as this. Why not add a feature to this plug-in to write to .htaccess with the current whitelist?
order deny,allow
deny from all
allow from 199.83.128.0/21
allow from 149.126.72.0/21
allow from 103.28.248.0/22
allow from 194.90.228.56/29
allow from 46.51.174.78
allow from 184.73.240.163
allow from 122.248.247.129
allow from 173.203.97.38
allow from 79.125.118.62
allow from 176.32.89.123
if you use nginx, make sure you have the realip module, and add this to nginx.conf :
set_real_ip_from 199.83.128.0/21;
set_real_ip_from 149.126.72.0/21;
set_real_ip_from 103.28.248.0/22;
set_real_ip_from 194.90.228.56/29;
set_real_ip_from 46.51.174.78;
set_real_ip_from 184.73.240.163;
set_real_ip_from 122.248.247.129;
set_real_ip_from 173.203.97.38;
set_real_ip_from 79.125.118.62;
set_real_ip_from 176.32.89.123;
real_ip_header X-Forwarded-For;
A major update:
removed the 194.90.228.56/29 range
removed many of the single IPs (184.73.240.163, 173.203.97.38, 176.32.89.123)
Added additional IPs : 50.16.241.95, 50.16.241.176, 184.169.135.107, 184.169.135.111, 46.137.108.0, 46.51.168.190, 79.125.110.134
Hi,
Thanks for the update, it possible to be notified prior to these changes being implemented so we can schedule the change at our end without affecting access to our sites?
Cheers!
Hi, I second last comment. Can we get an early notification? we must notify our customers of the change as they restrict the destination IPs.
iptables allow host
tcp:in:d=80:s:199.83.128.0/21
tcp:in:d=80:s:149.126.72.0/21
tcp:in:d=80:s:103.28.248.0/22
tcp:in:d=80:s:46.51.174.78
tcp:in:d=80:s:122.248.247.129
tcp:in:d=80:s:50.16.241.95
tcp:in:d=80:s:50.16.241.176
tcp:in:d=80:s:184.169.135.107
tcp:in:d=80:s:184.169.135.111
tcp:in:d=80:s:46.137.108.0
tcp:in:d=80:s:46.51.168.190
tcp:in:d=80:s:79.125.110.134
tcp:in:d=80:s:79.125.118.62
;)
Hi,
Few updates:
An additional range was added : 198.143.32.0/19 This range will become active on** June 1st. **(for those who requested early notification :))
As several people have provided specific configurations for htaccess, nginx and iptables, I've incorporated them into the article and will keep them updated going forward. Thank you for all the contributors!!
Have Fun.
I am sorry if this is a staggeringly noob question, but if I lock down ht access to allow only traffic from incapsula, I presume this will block my ftp access to the site (unless I ftp from the same IP and whitelist that as well). Correct? Or is there a way to block http calls but not ftp?
Websites: Port 80 Blocked after htaccess allow only traffic from incapsula,
FTP: Port 20, 21 Accessible by everyone
Hi to all followers :)
Please note that we have added another range : 185.11.124.0/22
Please make sure to update your firewall rules.
We are using Dome9 with Incapsula and they have something called Magic-IP for Incapsula and it dynamically configures our servers to accept traffic only from Incapsula. They keep updating their Incapsula list when Incapsula changes, so we don't have to worry about it. and we use them to block phpmyadnin and ssh to our servers as well
Hello all,
We have decide to remove all the single IPs which were used by some of our old POPs.
I have updated the list and the sample configurations accordingly. You can find it in the article at the top of the discussion thread.
for your convenient, here is the complete list of IPs used by Incapsula's POPs:
199.83.128.0/21
198.143.32.0/19
149.126.72.0/21
103.28.248.0/22
185.11.124.0/22
Hi,
I wish to suggest that this list of IP addresses will be stored in a fixed HTTPS (for validation) URL at the Incapsula site, as a structured file format, like CSV, XML, JSON or whatever, so clients will have the option to customize their back-end systems usage of this input, based on this list constantly and automatically, even if the list changes - not needing to relay on notifications from this thread and then manually adjust changes.
Eitan
Too hard to keep up with IP ranges - it's like another job.
Tips: don't forget to add the ip to all you .htaccess (root, forum, other folders).
#Incapsula
order deny,allow
deny from all
allow from 199.83.128.0/21
allow from 198.143.32.0/19
allow from 149.126.72.0/21
allow from 103.28.248.0/22
allow from 185.11.124.0/22
PLEASE ALLOW ME ACCESS TO GET INTO MY ACCOUNT I CAN NOT GET INTO MY ACCOUNT .IT HAS BEEN BLOCKED.
There are no suitable Chinese nodes?
If you are behind a proxy or load-balancer and use Apache, the aforementioned code won't work since you need to look for the X-FORWARDED-FOR HTTP header instead of the actual IP address originating the connection. In that case, you could use mod_rewrite like so:
Turn on rewrite engine, only needed once
RewriteEngine On
Limit IP addresses to those from Incapsula
--> http://support.incapsula.com/entries/20199668-Restricting-direct-access-to-your-website-Incapsula-s-IP-addresses-
199.83.128.1 - 199.83.135.254
RewriteCond %{HTTP:X-Forwarded-For} !199.83.1(2[89]|3[0-5]).[0-9]{1,3}$
198.143.32.1 - 198.143.63.254
RewriteCond %{HTTP:X-Forwarded-For} !198.143.(3[2-9]|[45][0-9]|6[0-3]).[0-9]{1,3}$
149.126.72.1 - 149.126.79.254
RewriteCond %{HTTP:X-Forwarded-For} !149.126.7[2-9].[0-9]{1,3}$
103.28.248.1 - 103.28.251.254
RewriteCond %{HTTP:X-Forwarded-For} !103.28.2(4[89]|5[01]).[0-9]{1,3}$
185.11.124.1 - 185.11.127.254
RewriteCond %{HTTP:X-Forwarded-For} !185.11.12[4-7].[0-9]{1,3}$
Fail
RewriteRule .* - [L,F]
Ideally you should still add client IP restrictions to ensure the connections are all originating from the expected proxy/load balancer as well, since X-FORWARDED-FOR headers can be spoofed by a malicious client that is able to connect directly to the web server.
how do I do with iis 7.5 of window 2008 r2 standard 64bit server ,
Thanks,
Hopefully you guys do something like the cloudflare did at https://www.cloudflare.com/ips-v4 so we can set up a cron job or something that will fetch the ip lists automatically for whitelist.
Maybe this list is getting obsolete?
I'm receiving visits to my site from 198.143.38.* and 198.143.39.* ranges not listed in the above list.
It would be a very handy resource to have something like proposed by min0taur.
wphost - I agree with you. how are you restricting the access to your server today?
wphost,
I was going to wait for support to respond to you, but the last comment has prompted me to go ahead and chime in.
I am a customer and I am subscribed to this page to monitor changes. While this is not automated to update my firewall rules, the changes seem to be infrequent, and I get an email about any changes or posts to this page. There is a subscribe link at the top right of the page.
The ranges stated above include 198.143.32.0/19 which is a superset of the ranges that you mention (198.143.38.* and 198.143.39.* )
198.143.32.0/19 includes all IPs between 198.143.32.1 - 198.143.63.254 (32 Class C networks)
Another way to state it is 198.143.32.0 with a netmask of 255.255.224.0 .
You should make sure that you have the netmask correct in your rules.
I hope this helps.
Rod
Just note that there is no need for you to manually track this page and update all your servers if you use dome9.com. There is a Magic IP for Incapsula (as well as for CloudFlare) that will push the relevant configuration to your iptables or Windows firewall.
follow