As an exercise, trying to make a trivial port forward work. Eg. forward requests to 12345 to standard ssh. Starting as small a possible...

# iptables -t nat -A PREROUTING -p tcp --dport 12345 -j DNAT --to 22
# telnet localhost 12345
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused

# telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
^]

Forwarding on, all policies wide open, accept. Can someone throw me a bone?

Thanks, but I had typo; I tried

--to 127.0.0.1:22
--to-port 22
--to-destination 127.0.0.1:22

Same result.

Hows about?

So.. you would have me say:

.. so I'd be forwarding _from_ *:22 -> localhost:22. But I want to forward from 12345->22.

Yeah, i brain farted, I just edited that post...
Dont mind me, long day

I cannot claim to understand it, not even entirely believe it, but the failure seems to be limited to attempts to navigate the iptables DNAT/SNAT rules on a host from within that host.

So if I have an interface with address 192.168.1.100 and make a rule to send hiport traffic to the ssh port:

That rule works great if you come in from the outside world with the command
but that indentical incantation from within the host with DNAT running on it fails. So there is something about locally sourced socket traffic that causes iptables to not do the expected. I guess we live with it..

To apply to locally source traffic you need to use the OUTPUT chain, not PREROUTING.