Hi,
I've been trying to figure out how to get iptables to stop accepting new
connections on port 80 while letting the existing connections finish up
what they're doing.
I thought it would be as easy as removing the rule that allows new
connections and leaving the rule that allowed related and established
connections, but when I remove the rule that allows new connections, all
connections stop working.
I tried variations with the rule, like changing NEW to ESTABLISHED and the
such, but no luck...
I was working on this during off hours when the web server only had maybe
5 or 6 active connections, so I'm not sure if the connection tracking
module is the problem or if its what I'm doing. I know the following
rules aren't the greatest, but we're behind a firewall and use host based
firewalls as just another security measure.
This is all on stock RHEL4 kernels and packages - but I tested with gentoo
on 2.6.13 and had the same issues.
hopefully I've included enough info to help you help me :)
Thanks,
Mike
####### script to edit iptables rules
#!/bin/bash
# stop accepting new connections..
# this is the default chain on the web servers.
chain="RH-Firewall-1-INPUT"
case $1 in
start)
# umm, yeah, start to stop accepting new connections
echo "removing iptables rule for new connections on port 80"
line=`iptables -nL --line-numbers | awk '$10 ~ /dpt:80/ {print $1}'`
iptables -D RH-Firewall-1-INPUT $line
;;
stop)
# re-add deleted chain to accept new connections
echo "now allowing connections"
# inserting it on line 6 because thats where it is when iptables starts after a reboot
iptables -I $chain 6 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
;;
esac
####### end script
#### system info
[root@www16 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux AS release 4 (Nahant Update 2)
[root@www16 ~]# uname -a
Linux www16 2.6.9-22.ELsmp #1 SMP Mon Sep 19 18:32:14 EDT 2005 i686 i686
i386 GNU/Linux
[root@www16 ~]# iptables -nL --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0
5 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80
7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:5666
9 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:161
10 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
[root@www16 ~]# iptables-save
# Generated by iptables-save v1.2.11 on Wed Dec 7 12:20:25 2005
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10643556:3502431634]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 161 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Dec 7 12:20:25 2005
[root@www16 ~]# iptables --version
iptables v1.2.11
