iptables for automatic failover or maintenance pages might seem like a strange choice, but it works!
iptables has an obscure but useful feature, the
socket filter. From the man page:
This matches if an open socket can be found by doing a socket lookup on the packet.
In other words, we can use this filter to redirect incoming connections to a “failover” server when the main server.
This can be accomplished with a couple
sudo iptables -A PREROUTING -t nat -i <interface> -p tcp --dport <server port> -m socket -j ACCEPT sudo iptables -A PREROUTING -t nat -i <interface> -p tcp --dport <server port> -j REDIRECT --to-port <failover port>
What these rules do is let through a connection when there is a server listening on the port, otherwise, redirect it to a failover server listening on a separate port.
I can think of a few ways to use this. For example, sometimes, I need to restart the nginx server that fronts this website, such as for configuration changes. During the few seconds when Docker is recreating the nginx container, users trying to visit the site get an ugly “connection refused” error. Instead of driving users away, the server can automatically show users a prettier error message using a small Node.js server telling them to refresh in a few seconds.
While proxies like haproxy also work, I needed a quick and lightweight way to automatically display a maintenance page.
iptables does the job beautifully.
There might be many ways to use this
iptables feature. Share your ideas in the comments below!