I am working on a live network of multiple boxes and routes with a long history of changes. I am trying to consolidate them with the minimum disruption. I'd like to get rid of some old routers and have the connections handled by newer (live) boxes.
Should this work?
iptables -t mangle -A PREROUTING -p tcp -d 192.168.0.1 -j MARK --set-mark 1
iptables -t mangle -A PREROUTING -p tcp -d 192.168.0.2 -j MARK --set-mark 2
iptables -t nat -A PREROUTING -p tcp -d 192.168.0.1 -j DNAT --to-destination $DST:7021
iptables -t nat -A PREROUTING -p tcp -d 192.168.0.2 -j DNAT --to-destination $DST:7022
iptables -t nat -A POSTROUTING -p tcp -d $DST -m mark --mark 1 -j SNAT --to-source 192.168.0.1
iptables -t nat -A POSTROUTING -p tcp -d $DST -m mark --mark 2 -j SNAT --to-source 192.168.0.2
iptables -A FORWARD --destination $DST -j ACCEPT
if eth0 is a static IP with the routing on 2 virtual IPs - eth0:1 is 192.168.0.1 and eth0:2 is 192.168.0.2, and both end up on destination $DST.
Using MARK seems my best way but it's not working - the $DST seems to respond to the static IP address, not the virtual one I'm trying to put in with SNAT. Is this because MARK won't work in this way, or because other entries in iptables are overriding or because I need to look into iproute2 fwmark rules?
The extract above is minimal and I need a solution that scales to multiple UCARP'd IP addresses, along with all the iproute2 rules and iptables filtering that is already configured. Unfortunately, much as I'd like to start afresh with a higher-level routing tool I'm currently stuck with integrating changes into the existing iproute2/iptables setup.
Thanks
