Addendum: On the load balancer,
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT will match *all* packets (for example the packets of your SSH connection, since there is undoubtedly a socket for those SSH packets), at least it does on my system; this is much nicer IMO: iptables -t mangle -A PREROUTING -p tcp -m socket --transparent -j DIVERT The addition of --transparent restricts the matching to packets going to transparent sockets, which are the packets sent back to the load balancer from the backend. The end result may be pretty much the same (lots of packets end up being delivered locally, some of which would have been dropped because they aren't carrying a destination IP address that is actually on the load balancer), but it's much less invasive. Again, if you don't have a dedicated IP for the load balancer (you probably should have, because you probably want a virtual IP for failover), you can just match the port instead. Best, Luke
smime.p7s
Description: S/MIME Cryptographic Signature
