We have a bunch of machines on a private subnet and we can port forward to them really easily however they can not access the port forwards by going to the gateway ip.
So for example:

iptables -A FORWARD -i eth0 -d ${PRIVATE_SUBNET}.3 -p tcp --dport 3341 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3341 -j DNAT --to-destination ${PRIVATE_SUBNET}.3

from the outside world if I go to the IP of eth0 and port 3341 it works just fine. But if I go from the inside lan to port 3341 on the eth0 IP it all fails.

How can I allow the gateway to forward ports back into the LAN when those ports are requested from the LAN?

Thanks,

--Carlos

Think about packets which are sent back as a reply.

The host A (local network) is sending packet to host B (IP:3341) and it expects the reply will have src = IP.
But you have a rule
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3341 -j DNAT --to-destination ${PRIVATE_SUBNET}.3
which makes that returned packet will have scr = ${PRIVATE_SUBNET}.3 since this is the ip of the replying host.

As a result the reply which is received by A has "incorrect" src = ${PRIVATE_SUBNET}.3 against expected IP.

So how can I make it so PublicIP:3341 goes to ${PRIVATE_SUBNET}.3 from the outside world and from the LAN?
I know my IPCop does that just fine but I can't figure out how its doing it.

Thanks,

--Carlos

The whole trick is to force both the query and reply are sent via router.

Sending the query from LAN host (A) the packet is sent to the router (since its dst address is public) and next is routed to the LAN host S (server) with ip ${PRIVATE_SUBNET}.3.
When the host S receives the query packet it see the packet as sent directly from A (the src address in the query packet belongs LAN subnet). So the reply is sent to the A directly arther than to the router.

Therefore you have to make the host S to sent the reply to the router by changing the src address in the query packet received by S.

Looks like this (or similar) will help:
iptables -t nat -A POSTROUTING -i eth1 -p tcp -d ${PUBLIC_IP} -dport 3341 -j SNAT --to-source ${PUBLIC_IP}
(eth1 is LAN interface)

This way host S will send the reply to host B (router) rather than directly to host A.
The router will made de-SNAT and de-DNAT next and sends the packet to the host A.

I hope I didn't made mistake above...
And remember you need to allow forward of the packets from S to A also.

Thanks for the reply. I think I understand the problem. I am still trying to get the iptables commands correctly. I'll post back once I get it working.

Ok I have fixed it but I don't like my fix. My problem was that I do my prerouting with the interface and not the destination ip. So I use -i eth0 instead of -d ${PUBLICIP}
As soon as I switch it to -d it starts working.