[ale] iptables redirect

[Chris Fowler]

I was able to get a guest to respond to both the new and old address.

Here is how I did it.

1.  I setup eth0 as the new address

2.  I created a script to use ip to setup eth1 as the old

#!/bin/sh
interface=eth1
echo "1 admin" >> /etc/iproute2/rt_tables
echo "Configuring $interface"
ifconfig $interface 65.254.217.223 netmask 255.255.254.0
echo "Adding network rule"
ip route add 65.254.216.0/23 dev $interface src 65.254.217.223 table
admin
echo "Adding a default route via $interface for this address"
ip route add default via 65.254.216.1 dev $interface table admin
echo "Adding interface rule"
ip rule add from 65.254.217.223/32 table admin
ip rule add to 65.254.217.223/32 table admin

I tested this script for alias support (eth0:1) and I could not get it
work work.  Maybe some have suggestions.  For my guests I can shut them
down and add an additional interface that is bridged with the same
interface as their eth0.  The script will work I can reconfigure the
devices and get them on the new address.  However for the machines with
only one interface if I can't use alias support I'll have to think of
another method.  It might be that I have to take a USB NIC to Peak 10
and do it that way :(



On Thu, 2009-08-06 at 14:58 -0400, Matt Rideout wrote:
> What about running VRRP/CARP/HSRP on the routers? If I understand your 
> situation correctly, that sounds like the cleanest solution.
> 
> Chris Fowler wrote, On 08/06/2009 02:20 PM:
> > This issue I ran into is that they have 2 links into my 2900 switch.  I
> > tried to use aliasing but I need a system where the same machine has two
> > default gateways.  I have about 7 machines to convert over.
> >
> > I think what I'll try is iproute and setup a system with two nics and
> > each nic with its own gateway.  I'm testing that idea now by install
> > CentOS 5.3 on my vmserver host.  I've added two network interfaces from
> > the same bridged interface from the host.  If this works then for my
> > guests I can just shut them down, add another interface and make this
> > work.  For the real servers I'll have to try something like the iptables
> > trick.
> >
> >
> > On Thu, 2009-08-06 at 12:07 -0600, JK wrote:
> >   
> >> Chris Fowler wrote:
> >>     
> >>> Is is possible to use iptables to redirect from one server to another.
> >>>       
> >> Sure.
> >>
> >> iptables -t nat -I PREROUTING -i $ETH_INGRESS -d $ORIG_DEST_IP -j DNAT --to-dest $NEW_DEST_IP
> >>
> >> As long as the machine handling the packet knows how to route traffic
> >> to NEW_DEST_IP, you should be OK.  You'll probably also need to SNAT
> >> that traffic, though, unless the NEW_DEST_IP machine's route back to
> >> the original source passes through the machine you're installing the
> >> iptables rule on:
> >>
> >> iptables -t nat -I POSTROUTING -o $ETH_EGRESS -d $NEW_DEST_IP -j SNAT --to-dest $MY_IP
> >>
> >> -- JK
> >>
> >>
> >>
> >>     
> >>> Here is the issue.
> >>>
> >>> We have a new address range.  I now have two sets of public addresses.
> >>> I need to release the old set.  I have many devices programmed to go to
> >>> the old IP.  Can I create an iptables rule on 65.254.217.212 to redirect
> >>> to 74.113.143.4 ?  Any request to the old server will be sent to the new
> >>> server.  After I reprogram the devices then I'll relinquish the old
> >>> address.
> >>>
> >>> Chris
> >>>
> >>>
> >>> _______________________________________________
> >>> Ale mailing list
> >>> Ale at ale.org
> >>> http://mail.ale.org/mailman/listinfo/ale
> >>>
> >>>
> >>>       
> >> _______________________________________________
> >> Ale mailing list
> >> Ale at ale.org
> >> http://mail.ale.org/mailman/listinfo/ale
> >>     
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> >   
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale