firewall In dealing with a decent sized website property there were a few times we needed to bring down the site to the public and do a few roll outs. We didn’t want the public coming to the site and seeing a broken page, or getting any response at all. So we decided to forward all port 80 traffic and send them to a different server that hosted an under construction page for them.

The script is as follows:

/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#We don’t want to forward our development team Replace your dev team’s ips with the xxx;s
/sbin/iptables -t nat -A PREROUTING -p tcp –dport 80 -s -j REDIRECT –to-ports 80
/sbin/iptables -t nat -A PREROUTING -p tcp –dport 80 -s -j REDIRECT –to-ports 80

#forward everyone else to destination ip yyy.yyy.yyy.yyy 😉
for IP in `/sbin/ifconfig | grep ‘inet addr:’| grep -v ‘’ | cut -d: -f2 | awk ‘{ print $1}’`;

/sbin/iptables -A FORWARD -i eth0 -o eth0 -p tcp –dport 80 -d $IP -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -d $IP -j DNAT –to-destination yyy.yyy.yyy.yyy
/sbin/iptables -t nat -A POSTROUTING -p tcp –dport 80 -d yyy.yyy.yyy.yyy -j SNAT –to $IP

echo 1 > /proc/sys/net/ipv4/ip_forward

When we were done and ready for the public to start vising the site again we simply stopped and restarted iptables.

Leave a Comment

Your email address will not be published. Required fields are marked *