Lets assume you are using LinuxVirtualServer in direct routing mode.
Now you are in the situation that your cluster nodes have to talk to the outside world to fetch rss feeds or talk to authentication systems. These systems are not under your control and might change the ip address and you wouldn’t get informed.
Here is your way out of that double bind:
iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 111 iptables -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark 111 ip route add table 111 default via 172.16.42.111 ip rule add fwmark 111 table 111
Now your nodes can answer the usual web requests via their default gateway and use another gateway with masquerading to talk to service related systems.
The only pitfall: You have to remember this setup if you have to do debugging. ping or traceroute wouldn’t help you.