My problem still remains however Grant. I would have to create another DNAT rule to match each existing *real* public DNAT rule that currently exists to DNAT traffic from the Internet. Do you have any further ideas for me? Given that a packet can have both the src and dst IP address rewritten in it's one trip through iptables, it seems to me that it should be possible for two rewrites to happen at once. My thinking it perhaps breaking the nat table into several chains? Any other suggestions, you've been most helpful so far.
The only other thing that comes to mind would be to use iphash (IP)sets of destination IP addresses on your original DNAT rules. This would cause your iptables rule to match based on the destination of your external IP of your firewall OR your external IP of your DSL modem (/router) and DNAT the traffic to the real server on your 2nd internal subnet. Here is an example rule for what you would need:
iptables -t nat -A PREROUTING -m set --set My_IP_Set dst -j DNAT --to-destination <relevant.internal.server>:<tcpservice>
To support this rule you would need to do the following (likely before you issued the above rule):
ipset -N My_IP_Set iphash ipset -A My_IP_Set 10.0.0.1 ipset -A My_IP_Set <Public IP>
As stated before this should cause your one iptables rule to match packets that are destined to any IP in the ip set "My_IP_Set" and DNAT said packets to the <relevant.internal.server>:<tcpservice>. I know that this is not the multiple passes through the iptables chains like you were asking for, but I think it will provide a solution comparable to the result that you were after. Rather than have a rule that will alter traffic such that it will be caught by another rule and then altered again why not have a rule that will catch either type of traffic.
Grant. . . .
