How to restart a Java service without disruption using firewall/iptables?

Question

If enable this rule

iptables -t nat -A PREROUTING -p tcp --dport 80  -j REDIRECT --to 8080

Then connections coming to the server port 80 are redirected to localhost:8080. If I want to restart the service, can I just start the service on another port? Say port 8081 and re route the firewalling to

iptables -t nat -A PREROUTING -p tcp --dport 80  -j REDIRECT --to 8081 # Apparently -A won't work. I have to replace the rule, not add it. But I don't know how to do it yet

However, what about the established TCP socket connections on the NAT-ed port 8080? Will they be dropped immediately after firewall changes? Alternatively, will they keep working until a normal TCP socket close?

If so, then this works a restart of the application with no disruption by having the old instance on port 8080 on a graceful shutdown and the new one on port 8081 with the new features.

Is this reasoning correct?

Answer 1

Yes, you can start additional Java process on new port 8081 and change firewall rule to that port. Whether the connections will be dropped in case of restart is determined by option IPTABLES_MODULES_UNLOAD. If this option is set to yes (default) - they will be dropped, if no - then they should not. I would suggest using a reverse proxy (Nginx for example) instead of a firewall for balancing.

Answer 2

In serverfault I got an incorrect technical answer but that corrected my way of thinking. I should use HAproxy or similar to do this job instead of a firewall. https://serverfault.com/a/795654/175654