Hi... I two servers set up: 192.168.1.150 and 192.168.1.160

Initially, I want all traffic to be served by server 150. So for this purpose I am leaving the IPTables on .150 empty.

At a point in time, I want to forward all incoming traffic to be served by .160 instead.
I have accomplished this using these commands (on .150):

iptables -t nat -A PREROUTING -j DNAT --to 192.168.1.160
iptables -t nat -I POSTROUTING -j MASQUERADE

My problem is that if I have an open SSH connection to .150 (prior to adding the rules), the packets are still handled by .150 after adding the rules.. e.g. my SSH session stays active. I want these packets to be forwarded to .160, which would effectively disconnect the SSH session. I do not want the packets flat out dropped, I just want them forwarded on in whatever state they are in.

If I try a new SSH session, it is properly forwarded to .160

Any help would be appreciated to get these packets from the existing session forwarded.

Thank you!

Anything wrong with dropping packets and returning an error?

Yes... I need to redirect the packets if at all possible.
My end goal is to perform a live migration of a Xen domU that exists within a private network on physical machine .150 over to physical machine .160. The session should still be valid if I can redirect the packets correctly.

The Xen DomU will have it's own IP addresses, I don't see how an SSH connection to 192.168.1.150 is relevant. It should just work if they are on the same Ethernet network.

Leave iptables alone, you will break connections that way.

Thanks for the advice... I have accomplished what I need by removing the appropriate conntrack entry.

You can't change anything while connection is open or active. Because iptables module "nf_conntrack" remember it. And it is very important for open connection to stay unchangeable.