Gfilui

I am having the following setup:

client: 
192.168.103.55 

"router" 
192.168.103.30 (eth3), 192.168.102.30 (eth2) 

server-1 server-2
192.168.102.21 (eth2) 192.168.102.22 (eth2)

The router is actually a small linux machine, running iptables.

The goal is to configure iptables in such a way that I can ping from the servers (192.168.102.21 and .22) to the client (192.168.103.55), via the router (192.168.102.30 at server-side and 192.168.103.30 at client-side)

The servers have a route configured as:

192.168.103.55 via 192.168.102.30 dev eth2 

On the router I have configured the following rules in IP-tables:

*filter
:INPUT ACCEPT [1610193:248234329]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1945999:238163662]
-A FORWARD -i eth3 -j ACCEPT
-A FORWARD -o eth3 -j ACCEPT
-A FORWARD -i eth2 -j ACCEPT
-A FORWARD -o eth2 -j ACCEPT
COMMIT
# Completed on Wed May 2 08:26:55 2018
# Generated by iptables-save v1.4.21 on Wed May 2 08:26:55 2018
*nat
:PREROUTING ACCEPT [5610:715368]
:INPUT ACCEPT [2029:121740]
:OUTPUT ACCEPT [326029:19788110]
:POSTROUTING ACCEPT [326029:19788110]
-A POSTROUTING -d 192.168.103.55/32 -o eth3 -j SNAT --to-source 192.168.103.30
COMMIT

The ping from 192.168.102.21 is reaching the client (192.168.103.55), and the client sends the reply towards 192.168.103.30. But the reply is not forwarded towards to the client (.55). It gets stuck in the router

What am I missing here?

Thanks in advance for your time!

=================== UPDATE ===================

Guntbert suggestion on The forwarding was already done.

The SNAT-rule is required in order for the router to know to which server to route back the ICMP Reply.
In my first explanation I left out the second server. I updated the question now to give you the full overview.

The SNAT seems to work somehow, since I can see the ICMP-reply packet going to the correct server:

[router ~]# tcpdump -ni eth2 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes

08:38:26.110245 IP 192.168.102.21 > 192.168.103.55: ICMP echo request, id 4471, seq 1, length 64
08:38:26.112722 IP 192.168.103.55 > 192.168.102.21: ICMP echo reply, id 4471, seq 1, length 64

08:39:53.238281 IP 192.168.102.22 > 192.168.103.55: ICMP echo request, id 8285, seq 1, length 64
08:39:53.239110 IP 192.168.103.55 > 192.168.102.22: ICMP echo reply, id 8285, seq 1, length 64

What actually should happen next, I think, is that the source IP (192.168.103.55) in the reply needs to be replaced by the router's IP (192.168.102.30).
Or am I wrong?

1. 
   

   you need to enable packet forwarding in the kernel

   
   
   
   • 
     

     edit /etc/sysctl.conf and activate the line

     
     
     

     net.ipv4.ip_forward=1
     

     
     
     

     by removing the # at the beginning.

     
     
   
   
   • 
     

     reboot or enable the setting immediately with

     
     
     

     echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
     

     
     
   
   


2. 
   

   Don't use SNAT (in fact don't use any kind of NAT at all). You have two networks, the router is attached to both (it has a leg in both). So remove the 3rd line of your iptables-rules.

   
   
   
   • remove the NAT rule from the router
   
   
   • configure all systems to reach the "other" network via the router
     
     
     • on the servers replace your route with
       192.168.103.0/24 via 192.168.102.30 dev eth2
       
       (this tells them how to reach the whole network, not just one client)
     
     
     • on the client add the following route
       192.168.102.0/24 via 192.168.103.30 dev eth0
       
     
     
   
   

Now you will see that every packet from both servers will reach the client with the original source address. The client knows how to reach that source address and can send a reply to exactly the server that pinged it.