iptables not blocking IP from access to HTTP/HTTPS

I'm having issues blocking certain IP addresses access to HTTP/HTTPS ports via iptables on my CentOS 7.7 webserver.

The problem is when I add the IP address to iptables, and confirm it is in the rules, it doesn't block the IP address from accessing HTTP/HTTPS. However it does block them from everything else (ping, SSH, telnet, etc).

Notes:

• There is no NAT or forwarding on this system.

• There is only the lo and eth0 interfaces.

• Sites are on Cloudflare, but please read the bottom notes.

These are my current rules (with 1.2.3.4 being the IP to block):

# iptables -L -v --line-numbers Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 783 120K ACCEPT all -- lo any anywhere anywhere 2 15 780 drop all -- eth0 any 1.2.3.4 anywhere 3 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply 4 0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable 5 0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded 6 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request limit: avg 10/sec burst 5 7 0 0 drop icmp -- any any anywhere anywhere 8 224 18088 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:http 9 432 58244 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:https 10 0 0 drop all -- eth0 any 1.2.3.4 anywhere 11 260 204K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 12 275 19648 drop all -- any any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 2771 packets, 634K bytes) num pkts bytes target prot opt in out source destination Chain drop (4 references) num pkts bytes target prot opt in out source destination 1 290 20428 DROP all -- any any anywhere anywhere 

As stated above, that blocks IP 1.2.3.4 from everything on my server except from accessing my websites.

The only thing I can think of potentially causing an issue or hiccup in all this, is the fact that my sites are behind Cloudflare. But even then, I have the mod_cloudflare module installed which basically just means it shows "real visitor IP addresses" and not Cloudflare's IP addresses in Apache logs.

How I'm testing this is I add 1.2.3.4 to the firewall as above, confirm its presence in the rules, tailf the Apache logs, and I see that IP address still scraping my websites.

Does anyone have any ideas on what I may be doing wrong?

EDIT #1: Per the updates to the post, I have moved the drop 1.2.3.4 to below the ACCEPT anywhere but this is still not blocking the IP address from accessing the HTTP/HTTPS on the server. I have pasted my new iptables rule above, placing the drop both before and after the ACCEPT.

EDIT #2: This does appear to be an exclusive issue to Cloudflare. As I just tested this on a domain that is not using Cloudflare's DNS, and it blocks the HTTP/HTTPS access from the IP address as expected.