Linux – Iptables port mapping from two PCs to one

gatewayiptableslinuxnetworkingport-forwarding

We have 3 PCs, two of it are connected to internet (both of it have 2 NIC)

PC1:

eth0 - 1.0.0.1 (external IP)
eth1 - 172.16.0.1 (internal IP)

PC2:

eth0 - 1.0.0.2 (external IP)
eth1 - 172.16.0.2 (internal IP)

PC3:

eth0 - 172.16.0.3 (internal IP)

Now we want to forward port 80 from PC1 and PC2 to PC3.

But there is the problem: iptables port forwarding works well from PC1 or PC2, but only in case if PC3 have PC1 or PC2 as gateway.

IPtables rules (for PC1):

iptables -t nat -A PREROUTING  -p tcp -d 1.0.0.1 --dport 80 -j DNAT --to-destination 172.16.0.3:80
iptables -A FORWARD -p tcp -d 172.16.0.3 --dport 80 -j ACCEPT

So, question is: can we have port mapping from both PC1 and PC2 regardless of gateway settings on PC3?

Thank you in advance.

Best Answer

You've only rewritten the destination.

You need to change the source address to be from PC1 or PC2, so the reply packets can also be NATted. And you need to change the destination address so that the packet will go to PC3. Rewriting both the source and the destination is called "dual NAT".

You need to do the DNAT in the PREROUTING chain and the SNAT in the POSTROUTING chain. Like this (for PC1):

iptables -t nat -A PREROUTING -p tcp -m tcp -d 1.0.0.1 --dport 80 -j DNAT \
  --to-destination 172.16.0.3:80
iptables -t nat -A POSTROUTING -p tcp -m tcp -d 172.16.0.3 --dport 80 \
   -j SNAT --to-source 172.16.0.1
Related Question