SNAT and DNAT port forwarding to a linked subnet

Question

I am having some issues with the classic problem of DNAT/SNAT port forwarding, with the added complexity of multiple networks and subnets being involved. I want to forward a port from a VPS server of mine to a system on my home network. The VPS is connected to this network via OpenVPN and it statically routes my home subnets, this VPS itself makes these available via OpenVPN, but this isn't so important.

I am trying to add these two iptables rules to the VPS server to achieve this...

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to-destination 192.168.1.4:2222
# iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.4 --dport 2222 -j SNAT --to-source 10.8.0.1

(I have tried a few variations on the above)

However, I can't seem to SSH to my VPS on this port. For some context, my home networks router address relative to the VPS is 10.8.0.1 and also it is important the port is only opened on the VPS servers eth0 interface.

I find this explains the concepts here, ran from the VPS server...

# ping -c1 192.168.1.4
PING 192.168.1.4 (192.168.1.4) 56(84) bytes of data.
64 bytes from 192.168.1.4: icmp_seq=1 ttl=63 time=5.60 ms

--- 192.168.1.4 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 5.601/5.601/5.601/0.000 ms
# traceroute 192.168.1.4
traceroute to 192.168.1.4 (192.168.1.4), 30 hops max, 60 byte packets
 1  10.8.0.1 (10.8.0.1)  6.644 ms  6.597 ms  7.511 ms
 2  192.168.1.4 (192.168.1.4)  7.473 ms  7.446 ms  7.415 ms

If you are curious, things are like this because my phone connects to this VPS via OpenVPN where it gets its internet but also access to the LAN at home seamlessly. I have been doing this for a while because it allows for easy access when I am on the move to my CCTV system and home automation tools.

This shows the OpenVPN client tunnel interfaces IPv4 configuration for my VPS to the home network...

# ip -4 addr show dev tun1
9: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    inet 10.8.0.3/24 scope global tun1
       valid_lft forever preferred_lft forever

And the VPS server's IPv4 routing tables...

# ip -4 route
default via 203.57.114.1 dev eth0 onlink 
10.7.0.0/24 dev tun0 proto kernel scope link src 10.7.0.1 
10.8.0.0/24 dev tun1 proto kernel scope link src 10.8.0.3 
192.168.1.0/24 via 10.8.0.1 dev tun1 
192.168.4.0/24 via 10.8.0.1 dev tun1 
192.168.84.0/24 via 10.8.0.1 dev tun1 
673.557.514.0/24 dev eth0 proto kernel scope link src 673.557.514.231

(I redacted the last line of the above into an impossible IPv4 address for my own privacy)

I am a bit stumped on what to do with this simple port forward in this more complex setup. Unfortunately searching just finds me the same things over and over on ordinary NAT port forwarding.

Answer 1

I have resolved my own problem, where I have found the answer by messing around and finding out. I also failed to delete POSTROUTING rules from the nat table properly while testing things.

This was the solution...

# iptables -t nat -A POSTROUTING -p tcp -d 192.168.1.4 --dport 2222 -j SNAT --to-source 10.8.0.3

To my home LAN network, this VPS server's IP address is 10.8.0.3 and the system on the LAN is 192.168.1.4 and this allows things to work properly. I would normally delete a question over things like this, but I am sure many would be plagued by doubt in this situation like I was and that this will help those people.