Maybe iptables has a very funny bug or the bug is in my head.

I have some virtual servers running with xen on my physical server (which also has the firewall) to connect to the virtual servers I have some ports defined for ssh connections:

  $IPTABLES -t nat -A PREROUTING -i eth0 -d $extip1 -p tcp --dport 10006 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to-destination ${intip1}:22
  $IPTABLES -A FORWARD -p tcp --dport 22 -s $maintenanceip -d $intip1 -i eth0 -o dummy0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
  $IPTABLES -A FORWARD -p tcp --sport 22 -d $maintenanceip -s $intip1 -o eth0 -i dummy0 -m state --state ESTABLISHED,RELATED -j ACCEPT
So when I connect from external to the extip1 IP address (port 10006), I get to port 22 on the intip1 server. Works perfect.

The problem I get now: When I try to ssh from intip2 to extip1 (port 10006) I would assume that the firewall blocks a forwarding to port 10006 - but the firewall blocks a incomming to extip1, port 22 (yes!!! 22!!!). So somehow the code above changes the 10006 port to 22 (when called from dummy0 network) without redirecting.

IN=dummy0 OUT= PHYSIN=vif11.0 MAC=... SRC=intip2 DST=extip2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5845 DF PROTO=TCP SPT=42354 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
the ssh (ssh -v -p 10006 extip2) shows that it tries to connect to the 10006 port.

Am I stupid or what??? The 10006 to 22 nat forwarding is defined for eth0 only. Even if the internal dummy0 should trigger the rule, it should be forwarded, but for internal dummy0 only the port is changed with no forwarding.

Any help would be REALLY great, as this drives me crazy...