Marcin Giedz schrieb: > Hello, > > >>Your providing too little information, so nobody can help you - even if >>he/she desired to do so. > > Maybe your are right.. I will try once again. > > In my office we have 2 gateways. One of them GATEWAY1 is connected to one ISP1 > and it is also default gateway for almost all of our servers. I said "almost" > because there is one server "service" where default gateway is GATEWAY2 > connected to another ISP2. > > All of our customers run Services situated on "service" server via GATEWAY2. > But if GATEWAY2 is down or connection to ISP2 is broken I would like that > customers can still connect to Services via GATEWAY1. So I need some kind of > redirection on GATEWAY1 because I don't want to switch default gateway on > "service" manually. However if GATEWAY2 is running OK some part of our > customers can still run Services via GATEWAY1. My problem is: > how to route connections to "service" server passed via GATEWAY1? Just to summarize the important points. Main traffic goes via GW1 to ISP1, but the server in question has as default GW GW2 which in turn has default GW to ISP2. The problem is to forward incoming connection from GW1 to GW2 (or your special service server), if customers connect to service server via GW1. > Packets MARK'ing work within kernel so can be used. Another way is changing > TOS on GATEWAY1 for "these" packets and route them to "service". Yes, almost for sure, it is possible to have a solution based on MARK and / or TOS, but I don't believe that it's necessary. You said in your posting "IP:Port REDIRECT problem", that you tried with public IPs to no avail. Why public IPs ? If your GWs aren't connected to each other somehow, I suggest to connect them with RFC1918 addresses and set the routes accordingly. You don't want to redirect from GW1 to GW2 via the internet, do you ? Once the GWs are connected, I think the simple solution will be to use DNAT and SNAT with iptables, 'cause I can't see anything, that needs more effort. So it breaks down to curby's posting, which looks something this style: ## On GW1 iptables -t nat -A PREROUTING -p tcp --dport 4000 \ -i $INET_IFACE -j DNAT --to $IP_OF_GW2 ## If FORWARD policy is not ACCEPT or you have a rule like ## ... -A FORWARD -j DROP iptables -A FORWARD -m state --state ESTABLISHED,RELATED \ -j ACCEPT iptables -A FORWARD -i $INET_IFACE -o $IFACE_TO_GW2 \ -p tcp --dport 4000 --syn -j ACCEPT ## You need SNAT too, at least it's the save way iptables -t nat -A POSTROUTING -o $IFACE_TO_GW2 \ -p tcp --dport 4000 -j SNAT --to $IP_OF_IFACE_TO_GW2 So, if GW1 and GW2 are connected somehow and know how to route packets to each other, the packets in question will reach GW2 with a source address of GW1. If allowed by iptable rules, GW2 will forward / redirect these packets to "service server" (maybe applying DNAT and SNAT too) and everything should work. HTH and have a nice time, Joerg
