Originally Posted by unSpawn
"Easiest" usually means something along the lines of "don't bother me (with security and all that bullsh*t) and make it work now regardless of the consequences". I hope that's not true in your case.
Yes... easiest wasn't perhaps the best choice of words - "simplest, robust and secure" might be better.
Here's the basic network topology.
[VMWareHost] --------------------[ Host/Firewall ]-------------- Internet
192.168.2.49 192.168.2.6 192.168.2.5 public-ip 0.0.0.0/0
I'm wanting requests to public-ip:8081 to be forwarded to VMWareHost:80 and for responses from VMWareHost to also be mapped correctly. Here's an extract of an otherwise working iptables configuration script. The script flushes iptables, writes these rules, saves and lists them.
# Set default policies for INPUT, FORWARD and OUTPUT chains
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 8081 -d 192.168.2.49 -j ACCEPT
# ALLOW internal LAN nodes to communicate with external networks...
$IPTABLES -o eth1 -A POSTROUTING -j MASQUERADE
#Also tried these alternatives without success...
#$IPTABLES -t nat -A POSTROUTING -p tcp --dport 8081 -j SNAT --to-source 192.168.2.6
#$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Route external traffic on port 8081
$IPTABLES -A PREROUTING -i eth1 -p tcp --dport 8081 -j DNAT --to-destination 192.168.2.49:80
#$IPTABLES -t nat -A PREROUTING -p tcp --dport 8081 -j DNAT --to 192.168.2.49
#$IPTABLES -t nat -A PREROUTING -p tcp --dport 8081 -j DNAT --to-destination 192.168.2.49:80
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 88 -j DNAT --to 192.168.2.49:80
After this have pre-existing INPUT OUTPUT filters locking down other services ports (nothing else added for forwarding).
Saving this configuration, all attempts to hit the VHOST via the host on port 8081 time out.
I'm on RHEL (CentOS5) and have confirmed that IP forwarding is enabled in '/etc/sysctl.conf' -->
net.ipv4.ip_forward = 1
Hope this is more useful in troubleshooting.