Adding to what
almatic said, when setting the DNAT in PREROUTING, the only reason why you would NOT need to make a respective FORWARD rule would be if your FORWARD chain is already set to forward these packets. So ideally, you want to have things set so that you definitely *need* to make a respective FORWARD rule(s) for your DNAT(s). Using BitTorrent as an example, we could say that this:
Code:
iptables -t nat -A PREROUTING -p TCP -i $WAN_IFACE --dport 6881:6999 -j DNAT \
--to-destination 192.168.1.112
Should *hopefully* require a rule like this in order to work:
Code:
iptables -A FORWARD -p TCP -i $WAN_IFACE -o $LAN_IFACE -d 192.168.1.112 \
--dport 6881:6999 -m state --state NEW -j ACCEPT
If not, then it's likely your FORWARD chain wasn't reasonably tight.