aha. I am working on this now!
I have just added the following to the ‘NAT and Virtual Servers Script’ on a test system here:
iptables -t nat -A PREROUTING -d 192.168.0.252 -p tcp --dport 80 -j DNAT --to 192.168.254.200
iptables -A FORWARD -p tcp --dport 80 -d 192.168.0.200 -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -p tcp --dport 80 -d 192.168.0.200 -j MASQUERADE
WAN IP in my case in this test setup is 192.168.0.252. LAN web server is 192.168.254.200.
This initially did not work – I did notice that it added the following line to POSTROUTING – this looked right and I thought it *should* work. Alas no.
MASQUERADE tcp -- * * 192.168.0.0/24 192.168.0.200 tcp dpt:80
However – if I enable the LAN interface (ETH0) as NAT (move it from left to right in the NAT settings page) – then all of a sudden it works! Hurrah! The additional line added to POSTROUTING when enabling NAT on the LAN interface was:
MASQUERADE all -- * ETH03 0.0.0.0/0 0.0.0.0/0
I only had NAT enabled on the WAN interface – that just seemed to work fine and there was never a need to enable NAT on the LAN interfaces as well…..
I then experimented – thinking perhaps I could remove the first two lines – but alas – this only works with all three lines – even if I already configured a Virtual Server to route traffic from WAN to LAN.
So now I have this working in my test setup – I just have to take a deep breath and apply it to live. Adding NAT to ETH3 seems like a bit of a blunderbuss method – if someone has an idea of how to achieve a working solution without having to NAT everything on ETH3 -or can spot why this script isn’t working on its own – that would be my preferred solution I think.
Nearly there with this anyway….