You've only rewritten the destination.
You need to change the source address to be from PC1 or PC2, so the reply packets can also be NATted. And you need to change the destination address so that the packet will go to PC3. Rewriting both the source and the destination is called "dual NAT".
You need to do the DNAT in the PREROUTING chain and the SNAT in the POSTROUTING chain. Like this (for PC1):
iptables -t nat -A PREROUTING -p tcp -m tcp -d 1.0.0.1 --dport 80 -j DNAT \
--to-destination 172.16.0.3:80
iptables -t nat -A POSTROUTING -p tcp -m tcp -d 172.16.0.3 --dport 80 \
-j SNAT --to-source 172.16.0.1
When your router does NAT, it has different IPs on its WAN and LAN interfaces. The same applies to the outer router in your setup. It looks like this (all the numbers are actual IPs taken from your screenshots):
Internet
|
WAN IP: a.b.c.d
outer router
LAN IP: 192.168.1.254
|
WAN IP: 192.168.1.100
inner router
LAN IP: 192.168.9.1
|
PC1 with IP 192.168.9.100
Your inner router is seen as 192.168.9.1 by your PC1 but the outer router can reach the inner one only by 192.168.1.100 address.
Solution: reconfigure the outer router to forward the port to 192.168.1.100 (not 192.168.9.1). Port forwarding on the inner router seems to be OK.
There is also an improvement you can make. It is common that home router offers dynamic IP addresses via DHCP and the pool starts with 192.168.???.100 (it can be changed, this is just a common default value). IP addresses of your PC1 and inner router (its WAN interface) end with 100. I think they were obtained via DHCP from respective dynamic pools. Your screenshot (update 1) tells this without doubt: "Dynamic IP".
With dynamic IPs it is possible any of these addresses will change in the future without any warning. In that case your port forwarding rule (one or the other, or both) will need to be adjusted to point to the new address.
To avoid this you should assign static IP to your inner router WAN interface (you should be able to do it in the outer router config, then reboot the inner one) and to your PC1 (in the inner router config, then reboot PC1). The setup may look like this (example):
Internet
|
WAN IP: a.b.c.d
outer router
LAN IP: 192.168.1.254
|
WAN IP: 192.168.1.5 (static, cannot change by itself)
inner router
LAN IP: 192.168.9.1
|
PC1 with IP 192.168.9.2 (static, cannot change by itself)
If you decide to set static addresses then you should reconfigure port forwarding rules accordingly. You may stick to your current settings, just keep in mind that your forwarding rules will not work if any dynamic address changes.
Best Answer
So, if I understood your question, you have:
And you want to:
You can achieve that by creating an SSH tunnel, doing a remote forwarding from PC1 and a local forwarding from PC2.
This would be the architecture:
So to get this working, from the Ubuntu PC, PC1, you need to connect to PS using:
At this point if you logged into the PC1 you may run
netstat -latn | grep 5901and you should see it listening. This means that one half of the process is ready.Now the client connection. From PC2, if it was a linux box too, you might use
if it is Windows, you can use PuTTY, by setting the port forwarding section below
Connection/SSH/Tunnels, and add a Local port with Source port5902and destinationlocalhost:5901. When clicking add you will see in the list of forwarded ports something likeL5902 localhost:5901Now you have two tunnels connected to a public server. If you run VNC viewer from PC2 and point to localhost:5902, you should connect to the VNC service listening on port 5900 on PC1.
Hope it helps.