I have a xen machine (DomU) hosting a few VMs.
One of the VMs is called router (10.0.0.1) and is the only one of the machines supposed to be reachable from the outside.
There are other VMs which are going to recieve traffic, but it has to be filtered.
Let's call one of these machines web (10.0.0.2), as it serves a webpage.
Packets coming to web follow this routing path:
xen DomU -> router -> web
DomU's configuration:
-A PREROUTING -d <external_ip> -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.1:80
-A POSTROUTING -o xenbr0 -j MASQUERADE
router's configuration:
-A PREROUTING -d 10.0.0.1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
-A POSTROUTING -o eth0 -j MASQUERADE
Everything works as expected.
Port 80 from the external IP is routed via router all the way to web.
There is a problem tho:
web sees 10.0.0.1 as the source for the connection, rather than the real client IP.
I guess this is caused by the fact that there are two DNATing iptables.
But why?
using MASQUERADE is for NATting a source address to a public IP; you should NOT masquerade traffic coming from the internet, which it seems you are likely doing.
Therefore, remove your MASQUERADE rules entirely or, if you need them to provide internet access to internal clients, restrict the MASQUERADE to a specific subnet
I believe the MASQUERADE statement on "router" is, uh, masquerading the external IP as it comes through "router".