I have a router with public IP address ADDR and private IP address 192.168.1.1.
I also have a public domain DOMAIN with an A record pointing to ADDR.
The router has a built-in SMB server.
I can access the SMB shares internally by typing \\ADDR\ShareName into Windows Explorer.
However, I want to be able to also access them via \\DOMAIN\ShareName internally.
Currently this doesn't work because Samba is not listening on the public interface. It only listens on the private interface, and I obviously don't want to change this and introduce a security hole.
So I redirect port 445 of ADDR to 192.168.1.1 when the source is in the local subnet:
iptables -t nat -I PREROUTING 1 -s 192.168.0.0/16 -p tcp --dport 445 -j DNAT --to-destination 192.168.1.1:445
but this doesn't work for some reason, and I don't understand why. (I don't know iptables well.)
Why doesn't this work? And how can I make it work?
(And yes, cat /proc/sys/net/ipv4/ip_forward gives 1.)
This isn't something you should try to solve using iptables. Simply have separate internal zone for your domain and make the hostname resolve to the local IP of your service.
BTW, even if iptables was the solution, your
192.168.1.1is probably part of192.168.1.0/24instead of192.168.0.0/16.