Linux: DNAT does not work for clients inside the NAT router

[ATC]

A private network 10.0.0.0/24 was set up with a web server and a windos client. The NAT router was configured with a DNAT rule to allow external clients to reach the web server via the public IP address.

iptables -A POSTROUTING -t nat -s 10.0.0.0/24 -o eth0 -j MASQUERADE
iptables -A PREROUTING -d ${ME} -t nat -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 10.0.0.234:80

This configuration worked as expected, with one exception: The windos client on the inside could not communicate with the web server via the public IP address.

[ATC]

The web server was trying to send reply packets directly to the client, using the private IP addresses.

Changed

iptables -A POSTROUTING -t nat -s 10.0.0.0/24 -o eth0 -j MASQUERADE

to read

iptables -A POSTROUTING -t nat -s 10.0.0.0/24 -j MASQUERADE

thus masquarading all traffic from 10.0.0.0/24, even traffic going back to that network. This is necessary for DNAT to work for clients on the inside :-)