I have never specified nat
with the ip
command and don't really know what it does. But I have DNATed before and have never needed such a thing. Your DNAT command looks right to me and I would think it should be sufficient by itself ... assuming the return packets from the Webserver are sent back through the firewall. You can do this either by having the routing table of the webserver send Internet bound packets to your firewall or you can (in addition to DNAT) SNAT the incoming packets such that they appear to be coming from the firewall.
I've tried skimming the ip man page
to find out what nat does. Perhaps that is intended for doing the SNAT I mentioned? You can certainly accomplish an SNAT with a rule in iptables
' POSTROUTING chain. I also found this in the the ip man page
and wonder whether it is relevant. (The emphasis is mine.)
nat - a special NAT route. Destinations covered by the prefix
are considered to be dummy (or external) addresses which
require translation to real (or internal) ones before forward‐
ing. The addresses to translate to are selected with the
attribute Warning: Route NAT is no longer supported in Linux
I realize this post is a bit rambling, but I hope it helps anyway.