Hi,
I'm an iptables n00b and have a scenario I need some help with. I'll try my best to explain clearly.

I have 2 boxes.

Box1
* eth0(public IP)
* /26 (public), I'll refer to these as Box1Public1, Box1Public2, Box1Public3 etc. Different network to eth0

Box2
* eth0(public IP) - different network to Box1
* /24 (private), I'll refer to them as Box2Private1, Box2Private2, Box2Private3 etc.


I'm trying to setup rules to NAT a few of the Box1 Public Addresses to Box2's private addresses.

ie.

RandomBox SSH => Box1Public1 => (nat on Box1) => Box2 => (nat on Box2) => Box2Private1

So far I have managed to get the first NAT to work....Ie I am reaching Box2, but how do I get to the private IP of Box2?
I used the following on Box1:
iptables -t nat -A PREROUTING -p tcp -d <Box1Public1> -j DNAT --to-destination <Box2Eth0>
iptables -t nat -A POSTROUTING -j MASQUERADE

So now I am getting the packets onto Box2, I need to identify them as having gone through Box1Public1 in order to NAT again to the correct Private IP.

Am I using the right approach by using DNAT. I'm guessing I can't modify the source address as then the packets would never get back to the originating address.

Any pointers?

Thanks for reading.

NAT can be a bitch to get right

"I'm guessing I can't modify the source address as then the packets would never get back to the originating address."
You should NAT the source too, as the connection needs to go back through Box1. Otherwise RandomBox will get a reply to an SSH request from an unexpected IP and will drop it.

What I did in a similar situation was make a vpn between the two servers and save myself some natting

Nik