[CentOS] This firewall rule will self-destruct

Sat Mar 17 02:44:49 UTC 2007
MrKiwi <mrkiwi at gmail.com>

Benjamin Smith wrote:
> Ok,
> I have a challenge - get two services working over a single port. (!) 
> Sometimes it's a web service, sometimes it's a VNC service. Here's what 
> I had in mind:
> 1) Server is normally a webserver listening on port 80, and normally has 
> the following rules active:
> # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> # iptables -t nat -A POSTROUTING -j MASQUERADE
> 2) Server hosts a special PHP script, that when called correctly, sets 
> rules like
> # iptables -I PREROUTING -p tcp -s $REMOTE --dport 80 -j DNAT 
> --to-destination $FWIP:$FWPORT
> # iptables -I FORWARD -p tcp -s $REMOTE --dport 80 -j ACCEPT
> The *next* tcp connection from their computer to the webserver will get 
> NAT'd to service $FWIP:$FWPORT.
> But I want this rule cleared out as soon as the connection is made with 
> the latter altered rules. Is there a way to write a rule or set of rules 
> that, when activated, then delete themselves? The "ESTABLISHED,RELATED" 
> rule should keep the connection alive even after the latter rules are 
> killed, right?
> Is this possible? Am I just out in left field?

Without knowing your reasons for doing this, i would stick 
my neck out and say ...
Have a look at port knocking - it looks like you are trying 
to either decrease your visibility, or mitigate a situation 
where you have no control over an intermediate firewall that 
only passes port 80