I have the problem that I would like to play starcraft on battle.net with multiple computers at once. The simple way to do this would be to get all the computers on different ports so they don't conflict, but Blizzard has dropped this capability.

EDIT: Description of Starcraft Comm.
It is possible to have starcraft communicate on any port, and this functionality is present in a similar game using the same system, Warcraft III.
Default port: 6112
Protocol: UDP
The trick comes from the fact that Starcraft, once a game is initiated, doesn't use a server. THe clients connect to eachother. This can cause problems when you have two clients in the same game behind a NAT firewall on the same port. People have gotten through that by using a different port, however.

On the linux side, what I want to do is take all outgoing traffic on port 6112 and change the destination port depending on the ip address, and to the reverse for incoming packets.
Ex.
packet from 192.168.1.153 to battle.net:6112 -> packet from linux box to battle.net:6112

packet from battle.net to linux box:18153 -> packet to 192.168.1.153:6112

I know this is possible through NAT, but don't understand enough of IP Tables to get it to work.

Anyone that would know what it would take to get this to work?
I'll be reading how-to's for iptables

EDIT:
One thing that should be noted is that my linux box, while it has two ethernet interfaces, is not a router. It is connected to my network with two cables. I use static IP's on everything, so my plot is to set the gateway on the windows boxes that need ports changed to 192.168.1.200 (eth1 on the linux box) and have it send them to the router on eth0. This should work so long as I set up port forwarding for the ports I am using (my syntax is to use ports 18xxx with the x's being the last octave of the ip address ex. 192.168.1.151 ->18151)

From what I have read, I need to do this:

iptables -A PREROUTING -t nat -j DNAT -p udp --dport 18153 --to-destination 192.168.1.153:6112
iptables -A PREROUTING -t nat -j DNAT -p udp -s 192.168.1.153 --dport 6112 --to-destination uswest.battle.net:18153

Along with some baseline getting-stuff-to-work-that's-already-there stuff:
Baseline NAT:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
ssh:
iptables -A INPUT -p TCP --dport 22 -j ACCEPT
http:
iptables -A INPUT -p TCP --dport 80 -j ACCEPT

EDIT AGAIN:
Just tried this, and it definetly didn't work. The windows box with 192.168.1.200 set as the gateway couldn't connect to anything except the linux server. Found this firewall script that someone posted up here, here is my customization of it, but I really have no idea what I'm doing.

################################################################################
#!/bin/sh
echo "0" > /proc/sys/net/ipv4/ip_forward

#-----------------------------------------------------------------
# Flushing the chains.
iptables -F
iptables -t nat -F
iptables -X
iptables -Z # zero all counters

#-----------------------------------------------------------------
# Policy for chains DROP everything
# Note: Turning this on, causes: "ping: sendto: operation not permitted" bug
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow local device trafic
iptables -A OUTPUT -p ALL -o lo -j ACCEPT
iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT
iptables -A INPUT -p ALL -i eth0 -j DROP

#SSH Service
iptables -A INPUT -p TCP --dport 22 -i eth0 -j ACCEPT
iptables -A INPUT -p TCP --dport 22 -i eth1 -j ACCEPT

#HTTP Service
iptables -A INPUT -p TCP --dport 80 -i eth0 -j ACCEPT
iptables -A INPUT -p TCP --dport 80 -i eth1 -j ACCEPT

#Starcraft?
iptables -t nat -A PREROUTING -p udp -d uswest.battle.net --dport 6112 -s 192.168.1.153 -i eth1 -j DNAT --to uswest.battle.net:18153
#note: uswest.battle.net is included to show what I'm doing and will be changed to an ip.
iptables -t nat -A PREROUTING -p udp -d useast.battle.net --dport 6112 -s 192.168.1.153 -i eth1 -j DNAT --to useast.battle.net:18153
# and now the reverse for incoming packets -- much less specific
# because computers on the local network need to be able to communicate
# as well
iptables -t nat -A PREROUTING -p udp --dport 18153 -j DNAT --to 192.168.1.153:6112

# NAT Stuff
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Accept anything from the inside. (needed for DHCP)
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT

# Forward Packets (needed to ping outside networks)
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT

# Some Logging
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

# We would like to ask for names from our box
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# And, some attempt to get interactive sesions a bit more interactive under load:
iptables -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp --sport ftp -j TOS --set-tos Minimize-Delay
iptables -A PREROUTING -t mangle -p tcp --sport ftp-data -j TOS --set-tos Maximize-Throughput

# Keep state.
iptables -A FORWARD -m state --state NEW -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,INVALID -i eth0 -j DROP
#-----------------------------------------------------------------

echo 7 > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
################################################################################

This appears to work, and allows the client machines to access the internet through the linux box (YES!!!!!), but I haven't gotten the change to see if it resolves the port problem yet. The current problem is that the linux box can't access the internet, and as it serves as a desktop workstation for me, I need it to... I'll prolly figure it out...

Above are two lines from your script (omitting a bunch of stuff between them). The first line will cause everything coming from eth0 to be dropped. If eth0 is your connection to the Internet, this means that while you may send packets out to I-net, you won't ever get anything back! The second line is designed to accept packets on connections you originated, but with the first line in place, packets from eth0 will never get that far. I think you want to get rid of that first line. (The policy is to DROP, so anything that isn't explicitly ACCEPTed will be DROPed anyway.)

Well, I don't know how it was working befpre (or if I interpreted something wrong) but now I am trying to get on the internet with eth1 set as the gateway, and connections are simply timing out. I think that since I am already behind a firewall router, I will simply change the forward policy to allow and hope that does it, otherwise I'll have to dig deeper.

EDIT: didn't have to change that. Under the forward packets heading, I added:
iptables -A FORWARD -o eth0 -j ACCEPT

Pretty sure this does what I want it to do... output to eth0...

Now I hit the snag. What I have so far changes the port when I connect to battle.net, but I need to do this for any host the client machines connect to, as the clients in a game communicate directly.
In simple terms, I need to change the port of all outgoing traffic depending on the ip.
EX:
packet to gameplayer:6112 from 192.168.1.153 -> packet to gameplayer:18153 from myserver(NAT)
One would think it would be something like:
iptables -A PREROUTING -t nat -p udp -s 192.168.1.153 --dport 6112 -d $IHOST -j DNAT --to $IHOST:18153

However, iptables gives me a bad option error for the DNAT and the --to, so something needs to change here. Any clues?

Well, I found where someone had used this:
iptables -t nat -A PREROUTING -p tcp -d VIP --dport 80 -j DNAT --to VIP:8080
Looks like, with a few tweaks, It would do what I want:
iptables -t nat -A PREROUTING -p udp -d IHOST --dport 6112 -s 192.168.1.153 -j DNAT --to IHOST:18153

Ima go try that...

had to change it to
iptables -t nat -A PREROUTING -p udp -d $IHOST --dport 6112 -s 192.168.1.153 -j DNAT --to $IHOST:18153

apparantly that's how iptables gets variables...
giving me a bad argument error on 6112. I'm really desperate right now. Hope someone knows what to do.

I am still trying to figure out how your system is configured and whether you have this Linux box, and everything else on your LAN connecting to the Internet and to each other satisfactorily.

I believe your setup is:

Internet <-> router <-> linux box (eth0)

and that eth1 on your linux box connects to a hub, which connects to the rest of the LAN.

Is this correct?
And can all of your boxes (including Linux) now connect to the Internet and talk to each other?

If I have this correct, could you post your current iptables script and what problems you are having with it?

Once your game has the machines talking directly to each other, are these packets going out to (and coming back from) the Internet, or do they stay entirely within your LAN? If they are going out to the Internet, I think you are going to have to set up port forwarding on your router (if that diagram of mine was correct).

I believe the error you report in post #6 is because IHOST is not defined. (When I defined IHOST and ran your command there was no error. When I undefined IHOST and tried again, I got the error you report.)

I'll look for your posting the info I asked for.

Well, I just found a script to set it up and some other tips on a starcraft website, and I have to wait until the morning to test ot (my friend with an internet ip already went to bed), so I don't know if it works right now. However, here is the layout of my network:

||||||||||||||||||||||||||||||||||||||||<->(empty)
||||||||||||||||||||||||||||||||||||||||<->Client
||||||||||||||||||||||||||||||||||||||||<->Server(Eth1)
router<->built-in 4 port switch<->switch<->Server(Eth0)
|||||||||||||||||||||||||||||||<->client
|||||||||||||||||||||||||||||||<->client
|||||||||||||||||||||||||||||||<->switch
||||||||||||||||||||||||||||||||||||||||<->(empty)
||||||||||||||||||||||||||||||||||||||||<->(empty)
||||||||||||||||||||||||||||||||||||||||<->client
||||||||||||||||||||||||||||||||||||||||<->client
(the |'s are just so vbulletin doesnt kill my spaces)

My end plot is to set eth1 as the gateway on the clients, and rig up NAT on the linux box, so that if I have the firewall set up right, everything will come from the linux box to the router. Yes, I do have to set up port forwarding because the incoming data is coming from the router to the linux box. My script is very long by now, so tomorrow I will post it up after I test it and try to trim it down (lotta commented out lines in there), because I think that it;; probably be useless if I haven't found something wrong with it.

With any luck itll be working when I post back, but I'll find that out tomorrow.