You’ve set up some nice port forwarding on your iptables router and it works great from the outside world.

The Scene

Supposing the web server is listening on port 80 and we want people to be able to access it via port 8080 we would put in an IP tables DNAT rule in the PREROUTING table that looks like this:

iptables -t nat -A PREROUTING -d 100.127.150.110 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.68.175:80
iptables -A FORWARD -d 192.168.15.10 -p tcp -m tcp --dport 80 -j ACCEPT

That works great from the outside world, but it’s completely inaccessible from the inside of your network, so you would have to connect to 192.168.15.10:80 because 100.127.150.110:8080 wouldn’t redirect you properly. Not a huge deal, except if you’re using host names or code that needs to work inside and outside of the network and you don’t want to have special rules in place.

The solution

Here’s how you set up iptables to do that same forwarding and sit in the middle of internal network requests…

iptables -A PREROUTING -i eth0 -d 100.127.150.110/32 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.15.10:80
iptables -t nat -A PREROUTING -i eth1 -d 100.127.150.110/32 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.15.10:80
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.15.0/24 -d 192.168.15.10/32 -p tcp -m tcp --dport 80 -j SNAT --to-source 192.168.15.1
iptables -A FORWARD -d 192.168.15.10 -p tcp -m tcp --dport 80 -j ACCEPT

Some say this is the missing link of the Internet. Others say we should use ipv6 and be done with this NAT garbage forever.