10

I have a setup where a server is front-ended by AWS ELB. I would like to filter traffic based on the source ip address using iptables possibly. I have enabled the proxy protocol on ELB. Is it possible to use iptables in conjunction with Proxy protocol?

Cheezo
  • 761
  • 9
  • 24
  • It should be possible to achieve what you describe, but you might not get the results you expect. There is no dependable way to verify the source IP address of your callers. Please see [this answer](http://stackoverflow.com/a/9326215/347777) for more information. – Viccari Aug 06 '15 at 03:36
  • 3
    A simpler way to achieve it could be to use [Security Groups](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-security-groups.html) on the ELB, too. This allows you to filter traffic based on the source IP address - but achieve this at the ELB rather than your app. – alexjs Jan 01 '16 at 10:11
  • Did you ever find a solution for this? We're in the same predicament. – DarkNeuron Jul 22 '16 at 16:19

2 Answers2

1

Cheezo. I'm not sure if this is possible, but I guess using AWS Security Group would be an easier solution.

Also, AWS Web Application Firewall might give you a hand.

Take a look at https://aws.amazon.com/waf/ and see if it helps.

Cheers,

gfernandes
  • 57
  • 8
0

Just want to point out that if you use or upgrade your ELB to one of the newer Network Load Balancers (which weren't around when the question was posed), you can get the real IP addresses of your clients and avoid all the work of configuring proxy protocol on the ELBs and in the web server config by simply configuring the target groups to use the servers' instance ids rather than their IP addresses. At that point you could could configure iptables normally or use AWS Security Groups as others have mentioned.

ScottH
  • 3
  • 2