Say I have a quick network partition test that I'd like to run, like disconnecting two halves of a ReDiS cluster from each other, and I want to use IPTables to temporarily disconnect one group of servers from another group.
This is very similar to the question asked on the fedora mailing list:
https://www.redhat.com/archives/rhl-list/2006-January/msg03380.html
If I don't see an EXISTING,RELATED in the output from iptables --list, do I have to worry about this?
The following answer on the fedora mailing list seems to say that yes, existing connections will close if I don't see an EXISTING,RELATED in the output from iptables --list.
https://www.redhat.com/archives/rhl-list/2006-January/msg03396.html
A note for the reflexive flaggers, out there: This question, and, more importantly, its answers, would discuss whether IPTables drops existing connections upon updates to its rules.
So far as I can tell, other questions on this site, on this subject, do not address the differences between existing and attempted connections:
How to close certain TCP/UDP ports (incoming) for ALL networks except listed through IPTABLES
I found most of my research results from the Google search at the page at the following URL link:
https://duckduckgo.com/?q=iptables+close+existing+connections
No iptables rule will ever close an existing TCP connection as that involves actively transmitting a message with the FIN bit. That is done by the application and not by a packet filter.
On the other hand iptables can, at any moment, block your application from receiving or transmitting new packets over any existing connection and it can also deny any new connections from getting established.
That is regardless of wether you have a stateful firewall or not.
It all depends on where exactly you insert your new firewall rules. Because, remember, your firewall rules are checked in the order they are listed and processing will stop at the first dispositive match.
I.e. a simple stateful firewall:
Now if you want a new rule:
and insert it at position #1 all packets received from that host will be blocked.
Insert that rule at position #2 and packets on existing connections will still be allowed but no new connections can be established.
Inserting that particular new rule at position #3 is useless, as the effect is the same as not having specific policy for 10.0.0.89 at all, but that would be the right place to place a rule to granting access to 10.0.0.89 to additional ports.
And using
iptables -A INPUTto append a new rule to the INPUT chain is useless as that will place the rule at position #4 where all traffic is already rejected by theINPUT -j REJECT --reject-with icmp-host-prohibitedrule.In short: use the rule number option in
iptables -I(instead ofipatbles -A) to place the new (temporary) rule where it will have the desired effect:If, with the same stateful firewall configuration, you want to stop allowing plain HTTP, you can Delete the rule allowing traffic to port 80
but doing so will not empty the session state table used by iptables and existing connections to port 80 will still be allowed by the rule
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPTYou can solve that by simply stopping/restarting the webserver, that will properly close those open sessions by sending FIN messages and clear them from the session state table.
Alternatively you can add a rule blocking packets to port 80 at position #1.