IPtables Nginx proxy and CloudFlare(proxy mod ON)

Good afternoon. Sorry for my English. I will write in simple words

i have server ip: 178.x.x.x (nginx reverse proxy server) (real_ip_header CF-Connecting-IP;)
and i have server ip: 170.x.x.x (main web server)

I put in the rules the following: (match-set dropips src have bad ip adress(168.x.x.x) and should be dropped)

iptables -L -n -v --line-numbers

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 125 6588 DROP all – * * match-set dropips src
2 5441 939K ispmgr_deny_ip all – * *
3 5441 939K ispmgr_allow_ip all – * *

I have the following chain:
if CloudFlare(proxy mod OFF) > 178.x.x.x (real_ip_header CF-Connecting-IP) > 170.x.x.x
iptables number 1 work and all good

Attention Question

I have the following chain:
CloudFlare(proxy mod ON) > 178.x.x.x (real_ip_header CF-Connecting-IP) > 170.x.x.x

In this case, my rule iptables number 1 does not work why?
why it happens? what am I doing wrong?


Server configuration is unfortunately somewhat off-topic for the forum here. This is better asked at StackExchange and alike.