Pascal Hambourg wrote:
Which option did you choose ?
We still have the outbound server DNAT-ing connections to the
webserver's ip, that worked fine.
On the webserver we now mark all outgoing web packets:
# iptables -t mangle -A OUTPUT -s <webserver_inner_ip> -p tcp --sport 80
-j MARK --set-mark 2
And we use iproute2 to forward them back to the outbound server:
# ip rule add fwmark 2 pref 10 table web.out
# ip route add default via <outbound_box_ip> dev eth0 table web.out
Couldn't test with CONNMARK, as the box doesn't ship with that, but MARK
works great for now.
I did test your last option too, but that just didn't work and sounded
very hacky-ish, not something we could rely on, even if it worked.
