I am wondering if I am doing something legitimate, or it's against TCP/IP (I am a physicist by education, so I do not know): I have box A that has one connection to WAN and one connection to LAN. On box A, eth0 has a public ip 1.2.3.4 and eth1 has a private ip 10.0.0.1 I have box B that also has one connection to WAN and another one to the same LAN. On B, eth0 has a public ip 5.6.7.8 and eth1 has a private ip 10.0.0.2 I configured iptables in box A to forward packets destined for 1.2.3.4:3000 to the destination 10.0.0.2:3000 , i.e. to box B. This part works, I checked with tcpdumps. Now, the box B after receiving a SYN packet via box A on eth1, sends an ACK packet directly through its WAN interface eth0 to the client. If I do not configure POSTROUTING SNAT , those ACK packets appear to originate from 10.0.0.2, so they are rejected by the client. My question is: if I configure SNAT on box B so that ACK packets appear to come from box A (i.e. from 1.2.3.4), would this be a legitimate configuration? In other words, a SYN packet is sent to one machine, forwarded via LAN to another machine, and the ACK packet is sent from the second machine having the source ip of the first machine. For that matter, all incoming packets from the client are received by A, then forwarded to B, and all response packets are sent directly from B to the client. Is this a legitimate configuration?
