Thank you, Aaron.
You can do source+destination NAT (aka "hairpinning") using only the iptables command, which is often installed already on most Linux boxes. This is the equivalent of having a port-forwarding TCP proxy.
Assuming your external-facing interface is eth0, you want to forward your local TCP port 5432 to the remote IP 2.3.4.5 on port 6789, this would be:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5432 -j DNAT --to-destination 2.3.4.5:6789
iptables -t nat -A POSTROUTING -d 2.3.4.5 -o eth0 -j MASQUERADE
This looks great. Especially since I can do this on a router for a whole subnet.
This would change the src ip, too, so the donating host would appear to be the bridge user. I don't think there's a proper way around that, so maybe we could just ignore that? Would be nice if somebody who's responsible for the stats could comment on this.
Truly yours, Alice