Hi All,
I need help in configuring iptables.
I have a gentoo server with eth0 (Public network interface) and eth1 (internal LAN interface).

I have to listen to a socket on eth0 and forward all the incoming tcp conections(New, established, related) to a host connected to eth1.


The following are the iptables rules;
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 10.184.19.28 --source 167.156.144.179 --dport 13566 -j DNAT --to-destination 8.8.8.1:18562
iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 8.8.8.1 --dport 18562 -j ACCEPT
iptables -A FORWARD -p tcp -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -p tcp -o eth1 -d 8.8.8.1 --dport 18562 -j SNAT --to-source 10.184.19.28:15460

I face this issue.
When a new incoming connection on eth0 is received, the iptables rules can successfully forward the SYN to my host in the LAN and the host successfully replies with a SYNACK.

However, my gentoo box, on receiving SYNACK, terminates the connection with RST.

Did I miss anything in the iptables rules?

Your Gentoo box is the one providing NAT services, then?

I haven't done NAT on GNU/Linux, but my WAG is you need an explicit ESTABLISHED,RELATED rule. Otherwise, the NAT server sees at as an unwanted, unsolicited packet.

By my liking it is completely wrong. Why you need NAT for this IP/port?
Actually RST to SYN/ACK is expected behaviour and your IPtables rules actually allows kernel to send RST in response to unsolicited SYN/ACK (it is unsolicited SYN/ACK, because of your weird NAT).

Actually you do trick to prevent it.

Best way is to do it with IPtables:
It should work