Why iptables not working with string match using x-forwarded-for? – Apache

I have a webserver running running with Apache on Ubuntu behind Cloudflare. I want to block a user using the iptables of the webserver. Here I want to implement to string match feature of iptables and drop the connection. Here is my rule which does not work:

iptables -I INPUT -m string --string "x-forwarded-for: 216.244.66.205" --algo bm --to 65535 -j DROP

After adding this rule the client is still able to hit the server.

I know Cloudflare’s specific header for client IP that is cf-connecting-ip. I am able to block the client with this. Here is the rule which works fine:

iptables -I INPUT -m string --string "cf-connecting-ip: 216.244.66.205" --algo bm --to 65535 -j DROP

The traffic from Cloudflare to the Web server is HTTP (port 80).

I have a load-balancer (haproxy) and some of the domains are running through this instead of Cloudflare. That is why I want to use XFF because cf-connecting-ip is specific to Cloudflare and XFF is supported by both.

I can see Cloudflare is properly attaching both cf-connecting-ip and XFF headers. Here is the output of tcpdump among multiple requests:

tcpdump -A -s 65535 'tcp port 80' | grep 216.244.66.205

x-forwarded-for: 216.244.66.205
cf-connecting-ip: 216.244.66.205
x-forwarded-for: 216.244.66.205
cf-connecting-ip: 216.244.66.205
x-forwarded-for: 216.244.66.205
cf-connecting-ip: 216.244.66.205
x-forwarded-for: 216.244.66.205
cf-connecting-ip: 216.244.66.205

Somehow the iptables are able to detect the string cf-connecting-ip but not x-forwarded-for.

Any help would be appreciated.