Babblings about Systems Administration.

port based routing

Lets assume you are using LinuxVirtualServer in direct routing mode.

Now you are in the situation that your cluster nodes have to talk to the outside world to fetch rss feeds or talk to authentication systems. These systems are not under your control and might change the ip address and you wouldn’t get informed.

Here is your way out of that double bind:

iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK --set-mark 111
iptables -t mangle -A OUTPUT -p tcp --dport 443 -j MARK --set-mark 111

ip route add table 111 default via
ip rule add fwmark 111 table 111

Now your nodes can answer the usual web requests via their default gateway and use another gateway with masquerading to talk to service related systems.

The only pitfall: You have to remember this setup if you have to do debugging. ping or traceroute wouldn’t help you.