I am now sure that I made a mistake when setting up port forwarding 1.5 years ago. I am the IT Manager for a local transit company. We track the buses in real time so as to be able to inform the public via multiple means just exactly where their bus is and when it will be arriving. Each vehicle has a mobile data terminal as well as GPS equipment. Zentyal is used as the gateway for our facility.
The mobile data terminals communicate via one port (bi directional). I setup port forwarding to connect the MDTs to the middleware on the database server.
I later added a Tomcat install on the same server (vendor doesn't support running their webportal on anything besides Windows) to display where the bus was and ETA on a google map. I linked to this webportal on our main website and setup port forwarding to the tomcat install.
When I tested it all everything worked except that people inside the facility couldn't just click the bus locator link on our website and get to the vendors webportal. Easy enough to understand, the initial request would be sent to the Zentyal server so the client on the local network would be expecting a response from the Zentyal server, not the database server.
Easy enough to fix, or so I thought. I adjusted the port forward on my internal nic that forwarded port 8081 on to my database server to rewrite the source address. By default it will setup as from "anywhere" and I left it that way.
Everything worked so I was happy and over the last 18 months the details of my decisions got sort of blurry. The MDT's were working and the webportal was working for clients on the inside and the outside from the same link.
I added a new type of display for the vehicles (a consumer grade tablet) that sent on one port and received on another. I could not get it to work via cellular. I could get it to work connected to the facility wireless.
I quickly grew irritated and shipped the whole lot of them off to the vendor to troubleshoot. They identified eventually that we were not passing the real IP address into the server but instead passing in the IP of the gateway as the source address. For 18 months the firewall had been misconfigured and SNATING any traffic coming out of the Zentyal server destined for the database server. It didn't bother the older MDT's because they did all communication on the same port.
Long story short, when dealing with the "rewrite source address" option in portforwarding, one needs to really stop and think hard before one accepts the "from anywhere" default.
I created a network object that covered the IP address range allocated to my dhcp server and selected that instead of "anywhere".
DNAT is destination rewriting and happens during prerouting (affects inbound traffic)
SNAT is source rewriting and happens during postrouting (affects outbound traffic)
My error was to not consider that "outbound traffic" means from my server to both internal IPs and external IPs and from anywhere included my own gateway server.
I will spend the weekend retyping all of the firewall rules using edlin as penance.