Is there any way to block IP address of an intruder (or any IP), when our server is behind a Load balancer. For example if my servers are behind ELB (Amazon ELB) or Rackspace Load balancer, i am getting attacks, and i know the Actual attacker IP. how can i block those IP addresses?
Regards,
ELB doesn't allow you to block IPs at the ELB level. Your servers themselves would need to reject the traffic. ELB passes an
X-Forwarded-For
header with the requester's IP that you can use to do this.Depends on what you mean by blocking; you can certainly use mod_access to deny access of certain IPs (you will need mod_rpaf for this as well) . On the other hand I don't see why you could not block access on load balancers but then again I'm not familiar with ELB details; maybe they don't allow tampering much on LBs.
As of Sep 2017, AWS released Network Load Balancer which has a number of new features.
Once of them is the Source Address Preservation – With Network Load Balancer, the original source IP address and source ports for the incoming connections remain unmodified, so application software need not support X-Forwarded-For, proxy protocol, or other workarounds. This also means that normal firewall rules, including VPC Security Groups, can be used on targets.
from New Network Load Balancer
This will allow to use iptables, ipchains on OS level or any other TCP/IP firewall.
See here a good discussion on AWS forum on how to handle the issue of blocking rogue IPs behind the ELB
The bottom line is:
1) AWS ELB doesn't allow to filter the traffic by IPs.
2) Traffic coming out of Classic or Application ELB cannot be filtered on TCP level (except with new Network LB, see above) because it's all coming from ELB as far as network firewall is concerned.
3) ELB adds X-Forwarded-For in the http header so that traffic can be filtered on the application level, like by Apache, Nginx, Varnish.