Hi > On 03/19/08 13:21, Franck JONCOURT wrote: > > This is perhaps not a good way to do, but I was thinking > about using > > the __ip route__ command. > > > > ip route add 192.168.2.0/24 via 192.168.0.2 > > > > where 192.168.2.0/24 would be the B1 network and > 192.168.0.2 would be > > the B2 ip address. > > > > Is that wrong ? > > "ip route" routes traffic based on destination IP address not > necessarily the network that it would pass through to get > there. So if you have traffic headed to my web server, you > can not use "ip route" to get it there with out specifying my > servers IP address / subnet in the ip route command. Right. Even more: In my scenario the same client should be able to reach the service using the public ip of both servers. Therefor routing based on the destination (=client) ip is not possible at all. However if the target ip was the A1 then reply as usual (use default route) and if the target ip was A2 (only possible because it was forwarded from B1) then route the packet to B2, where B will route the packets as usual (using default route). Regards, Steffen -- Original Message ------------------------ Hi I have two servers, having public IPs A1, B1, connected via private IPs A2, B2 on a openVPN network. Now I need to make a service (port p) of server A1:p available via B1:p. So I want to try the following: 1. At B: dnat every incoming connection for B1:p to A2:p. - this is to archieve my goal - 2. At A: Route every packet "from A2:P" to B2. - otherwise A would try to route to the client via its gateway, which would fail because of the private sender ip. - I think I can do the first: iptables -t nat -I PREROUTING -p tcp --dport p -j DNAT --to A2:p But I don't know how to do the second. Any hints? Regards, Steffen
Attachment:
smime.p7s
Description: S/MIME cryptographic signature