how to use iptables preroute to DNAT

[learninglinux]

I am running RH FC4.
I have a vpn tunnel set up to a site and have source NAT working for traffic to the site (successfully) with the following commands:
/sbin/iptables -t nat -A PREROUTING -s X.X.X.0/24 -i ! eth0 -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -d X.X.X.0/24 -o ! eth0 -j SNAT --to-source 192.168.204.90

I want to allow traffic that originates from the other side of the vpn tunnel to reach a server on my network, but since it only knows my network by the 192.168.204.90 address the packets get lost once they reach my network. I have tried the following command to route the incoming traffic to the correct server but it does not seem to work:

/sbin/iptables -t nat -A PREROUTING -s X.X.X.73 -d 192.168.204.90 -i ipsec0 -j DNAT --to-destination 10.19.184.2
/sbin/iptables -A INPUT -i ipsec0 -j ACCEPT
/sbin/iptables -A FORWARD -i ipsec+ -j ACCEPT

I see the traffic coming from the vpn tunnel (tcpdump -i ipsec0 host X.X.X.73) and it on eth0 (tcpdump -i ipsec0 host X.X.X.73) but I do not see it on eth1 which is connected to my local network. Can anyone tell me if my iptables DNAT command is set up correctly to forward the incoming traffic from the vpn tunnel to the local network? If not then do you have any suggestions as to how to make it work?
Thanks

 

[IRudebwoy]

Try this line instead

/sbin/iptables -t nat -A PREROUTING -d 192.168.204.90 -j DNAT --to-destination 10.19.184.2

You might want to add the following line after "/sbin/iptables -A FORWARD -i ipsec+ -j ACCEPT" to help debug iptables.

iptables -A FORWARD -j LOG --log-prefix 'DROPPING: ' --log-level info

You can remove it later if you wish.

Using
[tt][green]tail -fn100 /dev/log/messages | grep DROPPING[/green][/tt]
will allow you to view the dropped packets as they occur.