My previous routing experience has been mostly with Cisco routers. Cisco's NAT overloading translates both sides of the connection with a single command.
If you specify that the incoming connection be translated to a different port, IOS automatically translates both sides of the connection. Sure, there are some firewall adjustments too, but as far as the NAT goes, that's all that was needed.
My current reality:
I have a client running multiple Windows machines behind a Linux router. We would like to be able to connect to RDP (port 3389) from the internet, but though a different incoming port, say, 10110.
These are the commands I'm was trying to use in my firewall.user script:
iptables --table nat --append prerouting_wan --protocol TCP --in-interface $WAN --dport 44344 --jump DNAT --to-destination [MyPrivateIP]:3389
iptables --append forwarding_wan --protocol TCP --destination [MyPrivateIP] --dport 3389 --jump ACCEPT
Not surprisingly, these aren't doing the job.
The problem seems to be a matter of connection tracking.
I need to figure out how to implement a one-to-one port mapping for both incoming and outgoing traffic, but to have the port re-mapping take effect only when a matching inbound connection originates on the WAN interface.
Implementing two rules, one changing the inbound traffic and one for outbound might work, but that method would be static and too restrictive. After all, the internal hosts may need to communicate on that port without the modifications to the destination port.