iptables rules to NAT or FORWARD packets between LAN clients

hi all,
trouble solving the following problem:

Code:

     A (router)
     |
     |
     |--------|
     |        |   
     B--------C

A=router WAN x.x.x.x LAN 192.168.1.1
B=debian server 192.168.1.2
C=Win 2003 machine 192.168.1.3

shortly: A has NAT enabled, default server is B, so every incoming connection reaches B.
for a reason which would be long to explain, I need to transfer incoming connection to B at port 3389 (rdp) to C at port 60001.

iptables -A PREROUTING -t nat -p tcp -d 192.168.1.2 --dport 3389 -j DNAT --to-destination 192.168.1.3:60001

packets reaches C but I suppose I need to have them routed on the way back. How do I do that? SNAT or MASQUERADING? with a couple of SNAT rules it roughly works, but I'm sure I'm missing something.

suggestions?

regards

If my understanding is correct, you have two NIC cards in B with one connected to A and one connected to C? If so you need to have IP forwarding enabled on B and add rules to the FORWARD chain on B so that packets that are destined for C with route through B.

check your default gateway on Machine C. I've screwed that part up before on a Win2k3 Terminal Server.

clarifying, B has only 1 NIC and is in LAN with A and C.
with FORWARD I think I would have problem with the way back of the packet, moreover I cannot change the port when forwarding. I could first REDIRECT then FORWARD to C_IP with new port, but still something on the way back is missing.
my solution has been:

iptables -A PREROUTING -t nat -p tcp -d B_IP --dport 3389 -j DNAT --to-destination C_IP:60001
iptables -A POSTROUTING -t nat -p tcp -d C_IP --dport 60001 -j SNAT --to-source B_IP:3389

fore some reason it starts working slowly, than the connection hangs and timeout.
Instead if on the second rule I just enter --to-source B_IP (without specifiing any port) looks working good.
Any idea why? Might be beacuse the outgoing port B is using is not the 3389 but any 25xxx or similar higher port, so expecting the packet on the way back on the same port?

finally is this nat solution the correct one or some forwarding rule should be better?

thanks

Hi, sorry to revive an old thread, but can anyone explain if/why this works? I have exactly the same scenario and can't find a solution anywhere.

What kind of a router is "A"?

1. appliance,
2. dedicated distro (SmoothWall, IPCop, etc.),
3. home grown,
4. other?

Is this a clearer picture of the LAN?

Code:

              +----------+
 (       )    |    A     |
(  'Net   )===|  router  |
 (       )    +----------+
                |      |
              +---+  +---+ 
              | B |  | C | 
              +---+  +---+