How to get client IP behind an AWS ELB?

Question 1

You can't do this with iptables, because iptables will only ever see the IP address of the elastic load balancer, since the ELB is what is establishing the connections to your instance.

Using the web server to block certain x-forwarded-for values isn't particularly inefficient, but if you want to control who can access your ELB by IP address, that can also be accomplished with the Security Group attached to the ELB.

Update: Your comment is partially correct, because, at least as of now, ELB on EC2 "classic" does not support an inbound security group or network access control list, but ELB on VPC does.

Q: Can I configure a security group for the front-end of the Elastic Load Balancer?

If you are using Amazon Virtual Private Cloud, you can configure security groups for the front-end of your Elastic Load Balancer. — http://aws.amazon.com/ec2/faqs/#ELB6

Security groups are easiest to use when you need to allow a relatively small set of specific IP address ranges. If you want to allow most but block a few, then a VPC Network Access Control List is the easier approach.

Question 2

Since July 30th ELB supports Proxy Protocol. As stated in the end of this thread in the AWS forum:

Elastic Load Balancing (ELB) now supports Proxy Protocol version 1. This feature allows you to identify the client’s connection information when using TCP load balancing, providing additional insight into visitors to your applications. Having this information can be useful for analyzing traffic logs, gathering connection statistics, troubleshooting, or managing whitelists of IP addresses.

You must enable Proxy Protocol in the ELB.

The developers guide has more information about Proxy Protocol.