iptables not working with "x-forwarded-for" (behind Cloudflare)

networking http-headers ubuntu iptables cloudflare

I have a webserver (Ubuntu with Apache) running behind Cloudflare. I want to block a user using the iptables. Here I want to implement the string match extension of iptables and drop the connection if x-forwarded-for matched. I am adding the rule with following command:

iptables -I INPUT -m string --string "x-forwarded-for: 216.244.66.205" --algo bm --to 65535 -j DROP

After adding this rule the client is still able to hit the server.

I know about Cloudflare's specific header for client IP that is cf-connecting-ip. If I add a rule with the following command it works as expected. Here is the rule which works fine:

iptables -I INPUT -m string --string "cf-connecting-ip: 216.244.66.205" --algo bm --to 65535 -j DROP

Why I want to use XFF instead of cf-connecting-ip:

I have a separate load-balancer (haproxy) and some of the domains are running through this instead of Cloudflare. That is why I want to use XFF because cf-connecting-ip is specific to Cloudflare and XFF is supported by both.

The traffic from Cloudflare to the Web server is HTTP (port 80) so http data is visible to the iptables.

I can see Cloudflare is properly attaching both cf-connecting-ip and XFF headers. Here is the output of tcpdump among multiple requests:

tcpdump -A -s 65535 'tcp port 80' | grep 216.244.66.205

x-forwarded-for: 216.244.66.205
cf-connecting-ip: 216.244.66.205
x-forwarded-for: 216.244.66.205
cf-connecting-ip: 216.244.66.205
x-forwarded-for: 216.244.66.205
cf-connecting-ip: 216.244.66.205
x-forwarded-for: 216.244.66.205
cf-connecting-ip: 216.244.66.205

Somehow the iptables are able to detect the cf-connecting-ip but not x-forwarded-for.

What am i doing wrong here?


Solution 1:

The string match operates on the payload of single IP packet.

Therefore one possible reason is that the location of x-forwarded-for: header happens to be on a boundary of two TCP segments. Therefore first IP packet might contain x-forw and second IP packet arded-for:. Then the string match module doesn't match either packet.

To check if this is the reason, look into the different IP packet payloads belonging to the connection and see how the TCP segment is split into IP packets.

It is best to implement block features like this on HTTP level.

Related

Wait for forEach with a promise inside to finish
Differentiate IE7 browser and browser in IE7 compatibility mode
PHP remove duplicate values from multidimensional array
Java8 Collections.sort (sometimes) does not sort JPA returned lists
How to create a transparent triangle with border using CSS?
How to get JSON response from a 3.5 asmx web service
How do I read a disk directly with .Net?
Go to local URL with Javascript
Android: Determine active input method from code
How to format numbers similar to Stack Overflow reputation format
Understanding async/await on NodeJS
Parse JavaScript with jsoup