On 08/29/2013 01:12 PM, Randy Barlow wrote: > Honestly, I think the best solution is to switch the company to using domain > names to access these resources. This makes it much easier to silently > introduce things like load balancers later on if you ever need to scale. It's > also much easier to communicate to new users how to find this resource. Once > you migrate to IPv6 it becomes a very long address to tell people as well. > > To answer your specific question, I would just do it with iptables if you > must continue accessing it by IP address. I will point out that the service > on the new IP address now has doubled its chances of going out of service, > because it depends on both machines running, even though the first has > nothing to do with it. Also, doing this with firewall rules isn't very nice > from a systems management perspective for the future, as it's not very > obvious what's going on with some server rewriting packets for another one. > If someone sees that in two years, are they going to know what to do? What if > they want to take server 1 down, and forget that it also disrupts 2? Using > DNS is much cleaner for these reasons. With iptables this could be tricky if everything is in the same LAN subnet, you will need to ensure you have both DNAT and SNAT otherwise you will have: PC ---> serverA:3000 ---DNAT----> serverB serverB ---replies---> PC PC ignores packet "i wasn't talking to you, i was talking to serverA"
Also bear in mind that from serverB's perspective, all connections on port 3000 will appear to come from serverA. I know that a VT based terminal server can set up users based on their originating IP, which would previously have been a good detector of which terminal they are connecting from. Rather than using iptables on serverA, you may like to consider EBtables or IPtables on a server that sits in front of both serverA and serverB. this would act as a bridge, and rewrite packets for serverA on port 3000 to go to serverB on port 3000 or it could act as a router for NAT (iptables) if you change the ip subnet of serverA and serverB, and make the NAT box have the original IP of serverA this would allow connections by IP to be tracked hth
