I'm running some unique firewall setup using various things rackspace offers (load balancer and clouds, and I've installed squid to proxy http requests through the clouds). My setup pretty much blocks all attacks other than HTTP floods. The problem is that I don't have SSH access to the Load Balancer to tell it to block attacking IPs, and by the time it reaches the cloud, the connecting IP is the load balancer's. However, the loadbalancer sends the client IP in a header. Is there some way I can set up my firewall to read (and block) ips from the header?
Using CentOS6.0 on the load balancer
You can't meaningfully get the iptables firewall system to read from the HTTP layer content and block. There are some "layer 7" matching modules out there, but they are generally neither good choices, or reasonably supportable.
Part of the problem there is that the header is likely three to five packets down the line from the initial connection, and you have to maintain a lot of state to get to working out where it came from. (Unless the load balancer puts it in an IP option or something, which it probably doesn't.)
You would be better off with one of the many tools like fail2ban that process logs looking for offending content, then add iptables rules or - usefully - perform some other action, such as do whatever is possible to get upstream blocking of the attack.
If you can't block the attack off your system the best you are likely to do is put some sort of proxy on your system between the web server and the load balancer, and have that forward - but only if the attack isn't hostile.
That still costs substantially, but at least it protects your application server from the offending requests, and gives you a much simpler system to operate on.