We have a system that looks internally like this: eLAN | | -------------- | ETH-switch | -------------- |p1 |p2 | | -------- -------- |HOST_1|------|HOST_2| -------- iLAN -------- ] ........ . APPs . ........ It is a simplified view, but in essence it offers a sort of traffic protection and as a consequence it means our APPs should be accessible through the one external IP LAN address (eLAN-IP-addr) no matter which switch port is active (p1 or p2). A HOST has a full TCP/IP stack. The ETH-switch takes care of the protection switch, the HOST_x<-->ETH-switch eth interface always has the same MAC and IP address (eLAN-IP-addr). Our APPs communicate through HOST_1. On HOST_2 the below rule takes care of this: iptables -t nat -A PREROUTING -d <eLAN-IP-addr> ! -i iLAN -j DNAT --to-destination <iLAN-HOST_1-IP-addr> Here's my 1st problem/question. Let's say HOST_2 is active and an ESTABLISHED TCP communication is present between a system on the eLAN and an APP (of course for HOST_1 the TCP connection will be administrated as iLAN-HOST_1-IP-addr/port<-->eLAN-system-IP-addr/port) If the ETH-switch rapidly makes p1/HOST_1 active, is it possible to make sure outgoing TCP data (that is sent by the APP/HOST_1) is somehow source NAT'ed ? I ask this because currently the outgoing data (to the system on the eLAN carries src-ip=iLAN-HOST_1-IP-addr while I want it to be eLAN-IP-addr. Vice versa (p2/HOST_2 becomes active) the same problem applies. So I tried the below rule on HOST_1: iptables -t nat -A PREROUTING -d <eLAN-IP-addr> ! -i iLAN -m state --state INVALID,NEW,RELATED,ESTABLISHED -j DNAT --to-destination <iLAN-HOST_1-IP-addr> This rule makes sure all traffic to the APPs have the internal LAN address of HOST_1 (iLAN-HOST_1-IP-addr). So I tested with APP=telnetd. HOST_2 is active and the NAT rule on HOST_2 takes care of NATting to HOST_1 with dst-addr=iLAN-HOST_1-IP-addr. On HOST_1 the below telnet connection exists: tcp 0 0 iLAN-HOST_1-IP-addr:23 eLAN-system-IP-addr:58119 ESTABLISHED On a switch to p1/HOST_1 I would expect no impact for the telnet connection (as long as I do not actively use it). However after the switch has been completed, the TCP of HOST_1 sends a RST This I do not understand, especially because the last mentioned NAT rule said it did the translation: iptables -t nat -L -v Chain PREROUTING (policy ACCEPT 26 packets, 3052 bytes) pkts bytes target prot opt in out source destination 1 54 DNAT all -- !iLAN any anywhere eLAN-IP-addr state INVALID,NEW,RELATED,ESTABLISHED to:iLAN-HOST_1-IP-addr 1 packet, 54 bytes corresponds with the <ENTER> I typed on the telnet client on the eLAN system. Anybody know why (TCP of) HOST_1 sends a ReSeT in this case ? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html