If I use this firewall rule:

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 192.168.1.2

I can ping google, my email works, tracert works etc. That is assuming I have the relevant forwarding rules for each port in place. However, I do not want to NAT the traffic as I need the packets to appear as if they came from the original computer, not the firewall computer!

Problem is, I cannot work out how to do this. I have confirmed that IP Forwarding via kernel is loaded at boot time - packet forwarding is definitely on at boot time. I tried setting forwarding rules with both -i eth1 -o eth0 and other scenarios like that. But if I remove the POSTROUTING rule (i.e. NAT), then I cannot connect to the Internet, ping anything, Imap email doesn't connect etc.

I have the following IP setup:

External IP Address of Firewall - 192.168.1.2
Internet Router IP Address - 192.168.1.1 (This is the gateway on the Firewall Computer)
Internal IP Address of Firewall - 10.10.8.1
My PC IP Address - 10.10.8.2 and my PC gateway is 10.10.8.1 (internal IP address of firewall PC) and my dns server is 192.168.1.1 (my Internet Router).

I have shown my firewall rules below as working when using NAT and POSTROUTING. I have tried changing the forwarding rules to things like -i eth1 -o eth0 for DNS, mail and ICMP etc and removed Postrouting rule. But nothing works unless I use NAT on the firewall. I have tried allowing all traffic through - so removing the Drop Policy Rules again with no effect. I also see no errors in the firewall Logs. So I believe (and speak under correction), that my problem is not a firewall rule per se, but rather that if I am not using NAT (i.e. postrouting), then my computer (and/or the firewall) doesn't know where to send the traffic for the Internet! It seems more like a routing table issue, rather than a firewall access issue. But I would have thought that having the firewall computer as my computer's gateway and having the Internet Router as the firewall's gateway would in theory allow traffic to be routed?

What am I missing for RIP?

This is my firewall Rules for just ICMP, Dns and Email just to keep it simple.

10.10.x.x is a local address. It is not unique and not routable over the internet. You can send packets with that source address, but you will never get a reply.

Hello dalacor,

good point from smallpond which is true, I assume you know that already and that there is need to do what you asked.

I think, there is no need to use iptables.

What if you add a route from your 10.x.x.x network to the 192.168.1.x network and a default route to 192.168.1.2?

So you want to use RIP and therefore you need the local IP-address routed via the internet and show up on the other side as the original local addresses?

If that is the case you will have to use a tunnel.

Look up gre tunneling and based on that you might want to consider an ipsec tunnel.

Sorry for the very late reply.

I realise that 10.10.x.x is a private IP Address range. I would not expect that to be routable over the Internet itself. The Draytek Internet Router would obviously use NAT at that point. Perhaps I am asking the wrong question. Should I be using Postrouting to connect computers in a Lan behind a firewall to the Internet even when I have an Internet Router that is already doing NAT?

My impression was that Prerouting and Postrouting was only supposed to be used to make things like Internal Website Servers or Mail Servers appear to be sending from the Public IP Address because one is already prerouting traffic from the Public IP address to that Internal Server.

In my particular case on my test site and one of my clients, I have a Draytek Internet Router which already converts my private IP Address (whether that is the proxy server or the actual original PC) to the Draytek Router Public IP Address and then sent onto the Internet. So I wouldn't have thought that I needed to do NAT for the proxy server as well as the Draytek Router? If my computer was connected directly to the Draytek Router (no proxy server), I obviously don't need Postrouting - so why do I need it with a proxy server if my Draytek Router is the Dns Server and Gateway for my firewall PC?

The source traffic I am interested in is any traffic coming from Site B to Site A over the Lan to Lan VPN that I have setup on the Draytek Routers. However, I presume the proxy servers on both sites would be the source ip address instead of the original servers. I will have to do some testing with src ip of Server A to destination Sever B firewall rules and see what happens. The end aim is that I want to restrict say tcp 135 traffic between domain controllers on both sites and in order to do that, the proxy servers on both sites need to know the actual source IP address of the Servers not the NAT ip address. I was led to understand that Postrouting is not what I need to achieve this.

KatrinALec is right. You want to preserve source but there is no way to do that unless you encapsulate it to pass through the internet to your end point. Any NAT is supposed to NAT, not leak your source ip.
GRE.
You can do this router/router, or host to host. Stunnel, ssh (limited) host to host. Gre/IPSec router to router.

Anything you send out to the internet needs to get converted to a public IP or the answers wouldn't find their way back.

So in your private network A you have the client A 192.168.0.2/24
in your second private network B you have the server B 192.168.1.2/24.

Both networks are only connected via internet.

Your network A has the public address 1.1.1.1
and your network B has the public address 2.2.2.2

So you probably have a gateway to the internet 192.168.0.1 in network A and 192.168.1.1 in network B.
These gateways also have the public IP-addresses.

So client A has to call 2.2.2.2 or it won't get to the network B, and server B has to call 1.1.1.1 or it won't get back to network A.

You probably have more than one client or server in those networks, but all of them know their gateway.

If you call 192.168.1.2 from 192.168.0.2 that will go to the gateway because it's not in the same subnet, but either the gateway will refuse to put it on the internet or at the very least it will never go to 2.2.2.2 because gateway A doesn't know it should send it there.

If you call 2.2.2.2 from 192.168.0.2 it will arrive at the gateway of B but then that won't know to send it to 192.168.1.2 because that information is lacking.

GRE
Tell gateway A to pack anything that wants to go to 192.168.1/24 into a frame with the address 2.2.2.2
and tell gateway B to pack anything that wants to go to 192.168.0/24 in a frame that goes to 1.1.1.1
Both gateways will unpack that kind of frame and reveal the original IP address.
That way the client A can call 192.168.1.2 and that goes via gateway A, gets sent to 2.2.2.2, gets unpacked by gateway B and then there is the original destination.
Answer from B does the same thing backwards.
Private IP addresses and ports are preserved that way.

NAT
Tell gateway A to replace the original source private IP address by it's own (SNAT which is always done post routing).
That doesn't influence the destination IP, so client A has to call 2.2.2.2 already.
So between client A and server A packet is from 192.168.0.2 to 2.2.2.2
on the internet between gateway A and gateway B packet is from 1.1.1.1 to 2.2.2.2
it arrives at gateway B and there it needs another NAT, this time a DNAT, which has to be done pre routing).
That replaces the original destination with 192.168.1.2.
You can either replace anything with destination 2.2.2.2, which might have its disadvantages
or you could only replace things from 1.1.1.1 that go to 2.2.2.2 and want the destination port of 80 or something similar.
So between gateway B and server B you see from 1.1.1.1 to 192.168.1.2.
So the answer packet goes to 1.1.1.1 from 192.168.1.2 and needs the same changes backwards, but hat should be done automatically by the gateways if you use conntrack.

IPSEC
You basically use the GRE method, but you scramble anything between 1.1.1.1 and 2.2.2.2 and back.

I think what I will do first is go through my Iptables firewall rules and see if I can get everything to work using destination IP only and review whether I really need source IP Address anywhere. I didn't realise it was going to be complicated. Most of my traffic (Internet traffic), I want to use NAT and only route traffic between sites. But I have a feeling that just having the destination IP Address for RDP and Ports 135 and 443 should be sufficient.

My network network setup is already quite complicated at the client in question as I have a 10.x internal network on Site A and a slightly different 10.x internal network at site B. Then in addition to that I have the Draytek Routers on a completely different subnet at each site using a 10.14.x range so that all Internal traffic on 10.x has to go through proxy server internal IP address and out external IP address 10.14.x and then onto Router and from then on outwards to either the actual Internet or over the Lan to Lan VPN.

I obviously misunderstood my research on Postrouting and had assumed that this was only meant to be used with Internal Servers that computers outside connect to such as websites, mail servers etc. Obviously this is not the case. My first priority should actually to be to evaluate whether I really need source IP addresses to be retained or not. I would say that there really is only about 3 or 4 ports that really need to be opened between the two networks and that would WSUS 8531, DNS 53, Replication of DC and DFS so ports 135 and 443 as well as RDP 3389 to the servers of course. One or two more. So I just have to think whether I really need source port ip addresses or not.

I will come back to this question, when I have reviewed my Firewall Rules and let you know the outcome. But I am beginning to think that it would be easier to restrict source IP addresses on the Servers Windows Firewalls themselves. I can allow only IP address range xyz to connect to Server via RDP for example. So I could in theory control both source and destination, just using different methods.

In order to get routing to work through your firewall without NAT, the router needs to know to send packets with a 10.10.8.x dest address to your firewall and to do source NAT on packets received from the firewall with a 10.10.8.x address. By default, the router will only do this for its local 192 subnet.