stephan48: Here's what I ended up with, now in a container in my git:
#!/usr/bin/env bash
IPS_JSON=$(mktemp)
curl --request GET --url https://api.cloudflare.com/client/v4/ips >$IPS_JSON
IPS_V4=$(jq -r '.result.ipv4_cidrs | join(" ")' $IPS_JSON)
IPS_V6=$(jq -r '.result.ipv6_cidrs | join(" ")' $IPS_JSON)
for cidr in $IPS_V4; do
  echo "Blocking ipv4 $cidr"
  iptables -A OUTPUT -d $cidr -j DROP
done
for cidr in $IPS_V6; do
  echo "Blocking ipv6 $cidr"
  ip6tables -A OUTPUT -d $cidr -j DROP
done