ehlo,
one question: do you shutdown all your app-servers or server-by-server, so you still have
a available application?
there ist the "down" option for you upstream-block to disable servers, even if they are
up, but using this in a dynamic process might get very frickling.
whet do you use for iptables-rules? drop/reset?
i'd debug your server/app-ports when the iptables-script enforces no connections,
from my belly i wouldnt expect nginx to be the faulty chain link.
what does your log tells you when your appservers come up again and the iptables-block
is enforced?
regards,
mex