Re: TOS problem

["Jörg Harmuth" <harmuth@mnemon.de>]

Marcin Giedz schrieb:
> Hello,
> 
> 
>>Your providing too little information, so nobody can help you - even if
>>he/she desired to do so.
> 
> Maybe your are right.. I will try once again.
> 
> In my office we have 2 gateways. One of them GATEWAY1 is connected to one ISP1 
> and it is also default gateway for almost all of our servers. I said "almost" 
> because there is one server "service" where default gateway is GATEWAY2 
> connected to another ISP2.
> 
> All of our customers run Services situated on "service" server  via GATEWAY2. 
> But if GATEWAY2 is down or connection to ISP2 is broken I would like that 
> customers can still connect to Services via GATEWAY1. So I need some kind of 
> redirection on GATEWAY1 because I don't want to switch default gateway on 
> "service" manually. However if GATEWAY2 is running OK some part of our 
> customers can still run Services via GATEWAY1. My problem is:
> how to route connections to "service" server passed via GATEWAY1? 

Just to summarize the important points. Main traffic goes via GW1 to
ISP1, but the server in question has as default GW GW2 which in turn has
default GW to ISP2. The problem is to forward incoming connection from
GW1 to GW2 (or your special service server), if customers connect to
service server via GW1.

> Packets MARK'ing work within kernel so can be used. Another way is changing 
> TOS on GATEWAY1 for "these" packets and route them to "service".  

Yes, almost for sure, it is possible to have a solution based on MARK
and / or TOS, but I don't believe that it's necessary.

You said in your posting "IP:Port REDIRECT problem", that you tried with
public IPs to no avail. Why public IPs ? If your GWs aren't connected to
each other somehow, I suggest to connect them with RFC1918 addresses and
 set the routes accordingly. You don't want to redirect from GW1 to GW2
via the internet, do you ?

Once the GWs are connected, I think the simple solution will be to use
DNAT and SNAT with iptables, 'cause I can't see anything, that needs
more effort. So it breaks down to curby's posting, which looks something
this style:

## On GW1
iptables -t nat -A PREROUTING -p tcp --dport 4000 \
   -i $INET_IFACE -j DNAT --to $IP_OF_GW2
## If FORWARD policy is not ACCEPT or you have a rule like
## ... -A FORWARD -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED \
   -j ACCEPT
iptables -A FORWARD -i $INET_IFACE -o $IFACE_TO_GW2 \
   -p tcp --dport 4000 --syn -j ACCEPT
## You need SNAT too, at least it's the save way
iptables -t nat -A POSTROUTING -o $IFACE_TO_GW2 \
   -p tcp --dport 4000 -j SNAT --to $IP_OF_IFACE_TO_GW2

So, if GW1 and GW2 are connected somehow and know how to route packets
to each other, the packets in question will reach GW2 with a source
address of GW1. If allowed by iptable rules, GW2 will forward / redirect
these packets to "service server" (maybe applying DNAT and SNAT too) and
everything should work.

HTH and have a nice time,

Joerg