also, just to add to
peter_robb's post, don't forget your FORWARD rules, since your FORWARD policy is (hopefully) set to DROP... example:
Code:
iptables -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 2323 \
-j DNAT --to-destination 192.168.1.100:2324
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p TCP -i $WAN_IFACE -o $LAN_IFACE --dport 2324 \
-d 192.168.1.100 -m state --state NEW -j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
or if you don't wanna do sateful packet filtering:
Code:
iptables -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 2323 \
-j DNAT --to-destination 192.168.1.100:2324
iptables -A FORWARD -p TCP -i $LAN_IFACE -o $WAN_IFACE --sport 2324 \
-s 192.168.1.100 -j ACCEPT
iptables -A FORWARD -p TCP -i $WAN_IFACE -o $LAN_IFACE --dport 2324 \
-d 192.168.1.100 -j ACCEPT
iptables -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
remember to substitute $WAN_IFACE and $LAN_IFACE for your external and internal interface names respectively...