How is any internet connection working through the gateway without SNAT or MASQUERADE? I thought this was required for all protocols?
Basically any connection going out from an internal machine would have to be SNATed to your real internet address so the box at the other end knows the right internet (not lan) source IP to send responses to.
The issue is that he's trying to do "one-armed" NAT. Most of us are familiar with NAT on a multi-homed system: The packets come in through one interface and get NAT'd before going out the other one. He's trying to also NAT from an interface to itself, but the reply packets aren't going through the gateway. Instead, they go direct to the originating client and confuse it.
It's still a routing issue. The routing table on the server tells it that it can send the replies direct. One solution is to run two subnets on the same LAN, with the client in one subnet and the server in the other. The gateway would have a virtual interface defined for the second subnet. This forces the server to send the replies to the gateway.
