this is an issue I've been struggling with for quite a while now.
I have a PPTP server that's on the LAN, and has a LAN IP address. That server has GRE and TCP port 1723 forwarded to it by the router, that runs net-filter/IPtables .
The same issue, which I'll describe pretty soon, Happens with a phone system ( Asterisk) , that I have on the LAN, which only has a LAN address, and has UDP port 5060 forwarded to it , by the same router.
Here is the syntax that I used in order to forward the ports, I'll only note one of the cases, the same applies to all other three :
iptables -t nat -A PREROUTING -p tcp -i eth0 –dport 1723 -j DNAT –to-destination 10.12.35.8
iptables -A FORWARD -p tcp -d 10.12.35.8 –dport 1723 -j ACCEPT
the forwarding works great, and I have phones and other PC's PPTP'ing and registering phones to my LAN.
the problem is with my LAN hosts, that, ones the forwarding rules are applies, the are unable to use those services, for example, if I'll PPTP VPN with one of my LAN host to an outside address, it will actually VPN to my LAN PPTP server.
This is understandable, due to the fact that the router will forward all traffic as it's commanded to .
I have tried numerous “tricks”, used the WAN interface instead of just “eth0” is one example,the other one would be only forwarding “SYN” packets to the inside host, excluding the LAN source address with the “ ! “ directive. but I'm hitting a wall, it's either hosts from the world able to access the services on my LAN, or it's either my LAN hosts able to get to the world and use those service, cannot get both to work at the same time.
If someone got this same feature to work on his router, their help would be greatly appreciated.