Hi guys.

I have following schema:
host 1 (linux eth0 - 192.168.172.2/28)
host 1 (linux eth0:700 - 192.168.172.5/28)
host 2 (windows 10.5.8.7/24)
host 3 (windows 172.18.72.7)

VPN tunnel permitting 192.168.172.2's access to 10.5.8.7:3389/tcp I can open host2's 10.5.8.7 RDP from host host1 no problem.
I have route and full open way between 172.18.72.7 and 192.168.172.2
host 3 has NO routes and all rejections to host 2

Idea is:
open RDP to host 2 from host 3 by accessing host 1's eth0:700 but need rewrite all replies from host2:3389/tcp

I setup iptables pre and post routing NAT rules at host1 like:

enable IP forwarding
++++++++++
echo 1 > /proc/sys/net/ipv4/ip_forward

create subinterface
++++++++++
/sbin/ifconfig bond0:701 192.168.172.5 netmask 255.255.255.240

setup iptables
++++++++++

dnat
iptables -A PREROUTING -t nat -p tcp -d 192.168.172.5 --dport 7777 -j DNAT --to-destination 10.5.8.7:3389

snat
iptables -t nat -A POSTROUTING -s 10.5.8.7 -d 192.168.172.5 -j SNAT --to-source 192.168.172.2

after I'm trying to open host2:7777 from host3 I see PREROUTING hits grows (green bellow) but no POSTROUTING hits (red bellow) at host1:

+++++++++++
sam@st1:~$ sudo iptables -t nat -vnL --line-numbers
Chain PREROUTING (policy ACCEPT 728 packets, 36803 bytes)
num pkts bytes target prot opt in out source destination
23 49 44604 DNAT tcp -- bond0 * 0.0.0.0/0 192.168.172.5 tcp dpt:7777 to:10.5.8.7:3389


Chain INPUT (policy ACCEPT 356 packets, 17986 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 1299 packets, 97190 bytes)
num pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 1299 packets, 97190 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 SNAT all -- * * 10.5.8.7 192.168.172.5 to:192.168.172.2
sam@st1:~$


could somebody tell me what's wrong?

Thank you.

I'm sorry, but your post doesn't make it clear how your network is designed.

It sounds like you're trying to do port forwarding from TCP/192.168.172.5/7777 to 10.5.8.7:3389, while at the same time doing... something... to traffic from the host 10.5.8.7.

The port forwarding itself should work, but beware of possible asymmetric routing issues. After all, the forwarded packet from 192.168.172.5 will still have the original source address, so unless 192.168.172.5 is actually a router/gateway somewhere in the return path, the reply packet will never be de-NATed.

But I'm just guessing here, because I don't really understand your setup. I diagram would be really nice; even ASCII art would help enormously.

I need to get following:
when host3 is connecting to host1:7777/tcp, connections have to forward to host2:3389/tcp with source of host1. host1 needs to rewrite source ip for returning packets from host2:3389/tcp to host host1:7777/tcp
so simple words: I need host1 to rewrite host3 source and destination IP, for forwarded and returning packets.