Originally posted by DeadTaco
If I can get just a single computer in my office to have access in/out on port 400, that may work. We have two people that need it, but even having one would be beneficial.
So the connections are being initiated on the inside to a remote host on port 400? In that case you can, of course, open port 400 for the entire network. You need to allow port 400 is the forward chain:
iptables -A FORWARD -i $IFACE_INT -p tcp --dport 400 -j ACCEPT
And you need source nat in postrouting:
iptables -t nat -A POSTROUTING -i $IFACE_INT -s 192.168.100.0/24 -j SNAT --to $IP_EXT
Replace $IFACE_INT with the internal interface name (probably eth0 or eth1) and $IP_EXT with your external IP address.
The second rule probably already is in place (or otherwise none of the workstations would have access to the outside world). If you want to keep the structure of the existing firewall script you should put the first rule in the network1_out chain.
If what you want is people from the outside being able to contact your external IP and get redirected to 192.168.100.48 you need two rules:
Redirect $IP_EXT:400 to 192.168.100.48:400:
iptables -t nat -A PREROUTING -p tcp --dport 400 -i $IFACE_EXT -d $IP_EXT -j DNAT --to 192.168.100.48
Allow packets to flow through the firewall to 192.168.100.48:
iptables -A FORWARD -p tcp --dport 400 -d 192.168.100.48 -j ACCEPT
If you need udp port 400 accessible add two more rules with -p udp. Again, to follow the logic of the script this should go in the network1_out chain.
The above will work without any other rules in place. You will need to find the right place to add them to your iptables script. The order of the rules in a chain is vital. You didn't post your nat table (iptables -t nat -nvL) so I can't tell you if there are rules in there that might interfere with this one.