as the guys over from archlinux.org did not change their minds since years, and they still try hard to be unfriendly, they sent me over to ask my question here, despite it beeing not ARM related. Well, I give it a shot and I hope you guys have an answer:
I have two Raspberry Pis running Arch Linux ARM - yeah that's the only ARM related thing about it. One of them is acting as a router, I set it all up using this anything but ARM related Arch Wiki article: https://wiki.archlinux.org/index.php/Router. (If now a mod reads this and thinks "oh, not ARM related, close the topic" then I'm out of all this Arch thing.)
The other Pi serves some stuff which should also be accessible from the internet, e.g. a textfile with contents "TEST" through an apache with default configuration. Therefor I have a domain name pointing to my public IP, let's say home.example.com.
The Pi which acts as a router has the cable modem connected to eth0, and the private network at eth1. It forwards all port 80 traffic to the other Pi with the apache up and running. This is done basically by these iptables rules:
$this->bbcode_second_pass_code('', '
# eth0 is the external, public interface. 192.168.0.100 the internal IP of the Pi running the apache.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.100
iptables -A FORWARD -i eth0 -p tcp --dport 80 -d 192.168.0.100 -j ACCEPT
')
$this->bbcode_list('1')
So I can be sure, that the apache is listening. But the traffic doesn't reach the apache-serving Pi in the fourth case, when I try to talk to the apache with it's public address from the internal network. I found a couple of sources pointing me at a direction, to use the OUTPUT chain like so:
$this->bbcode_second_pass_code('', '
iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination 192.168.0.100
')
But that does not change anything. What am I missing?