linux

How to set up PREROUTING correctly?

There are two servers A (XXX.XXX.XXX.XXX) and B (YYY.YYY.YYY.YYY), on each of them by external IP, for example, as described in the article . We need traffic to get from A(XXX.XXX.XXX.XXX) to B(YYY.YYY.YYY.YYY), for example, because A-server is filtered by security. A tunnel is created between them, on server A (tunnel IP 192.168.168.1) on server B (192.168.168.2). Next, using DNAT on server A, we redirect:
iptables -t nat -A PREROUTING -p tcp -d XXX.XXX.XXX.XXX -j DNAT --to-destination 192.168.168.2
iptables -A FORWARD -d 192.168.168.2 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
On server B, write the routing rules:
ip rule add from 192.168.168.0/30 table 5
ip route add default via 192.168.168.1 table 5
Traffic successfully gets to server B, but on IP 192.168.168.2, but now we need traffic to get to IP YYY.YYY.YYY.YYY, because all the entries we need in the web server configs hang there.
I'm trying to do:
iptables -t nat -A PREROUTING -d 192.168.168.2 -p tcp -m tcp --dport 80 -j DNAT --to-destination YYY.YYY.YYY.YYY:80
But the packets don't go back. If you do on server A:
ipables -t nat -A POSTROUTING -j MASQUERADE
Then the packets will leave and arrive, but the visitor's src will naturally be replaced by 192.168.168.1, which we do not need.
There is another option on server B to do:
ip rule add from YYY.YYY.YYY.YYY/32 table 5
So it will work, but the direct connection with YYY.YYY.YYY.YYY will naturally disappear, in general this is also a bad option.
In general, it is necessary that when entering IP A (XXX.XXX.XXX.XXX) get to B (YYY.YYY.YYY.YYY)
Anyone who has encountered this, push for a more rational solution, thanks.