Hi
I'm not sure if I understood your issue.
In any case, maybe I already implemented something similar to what you wish to have.
In my case things looked like this:
1) a physical host connected to the Internet to the IP 111.222.111.222.
2) multiple VMs hosted on that physical host, each responsible for specific services like e.g. web (192.168.0.123), email (192.168.0.124), monitoring (192.168.0....), honeypots, bleeding-edge-stuff, etc... .
3) VMs having only internal IPs like 192.168.0.11 (web-vm), 192.168.0.12 (mail-vm), etc... (therefore disconnected from the Internet).
Requirements:
1) I wanted to route e.g. anybody that accessed my external IP 111.222.111.222 on port 80 to the VM responsible for my web service.
On the host my iptables configuration for this is:
Code:
iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.0.123:80
Btw., before that single rule I have:
Code:
#Allow forwarding of established connections
iptables -I FORWARD 1 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#Basic forwarding rules
iptables -A FORWARD -i ${LAN} -s 192.168.0.0/16 -j ACCEPT
iptables -A FORWARD -i ${WAN} -d 192.168.0.0/16 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o br0 -j ACCEPT
iptables -t nat -A OUTPUT -o br0 -j ACCEPT
#Tell the kernel that ip forwarding is OK
#IPv4
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
#IPv6
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
############Start-Port forwarding
#List these rules with "iptables -t nat --list"
#Allow the host to connect to any VM on any port
iptables -A OUTPUT -o br0 -j ACCEPT -d 192.168.0.0/16 -m conntrack --ctstate NEW
Beware:
the behaviour of iptables has changed some versions ago - this config should definitely work for iptables-versions equal or higher to at least 1.4.16.3.
Cheers!