iptables can only work with IP and we cannot make it use the values from a HTTP header
OS : Amazon Linux
#yum install mod_security #vim /etc/httpd/conf.d/mod_security.conf
Following rule is added to block Traffic [ELB used]:
SecRule REQUEST_HEADERS:X-Forwarded-For "@Contains 11.222.333.44" "phase:1,log,deny,id:1001"
Following rule is added to block traffic [ELB not used]
SecRule REMOTE_ADDR "^111.222.333.444" "phase:1,log,deny,id:1004"
XFF IP is used since the server is behind ELB.
Similarly following rule can be used to Whitelist an IP:
SecRule REQUEST_HEADERS:X-Forwarded-For "@Contains 111.222.333.444" phase:1,log,allow,ctl:ruleEngine=off,id:10012
The rule above disables ModSecurity scanning for the IP address 111.222.333.444