Finally got it fixed and realized there was a command that i was missing so i'll list the 3 commands that forward which had me stumped, while im at it i'll list what each one does cause i don't think i've seen that posted here yet. O yah, eth0 is my LAN NIC and eth1 is my internet NIC.
iptables -t nat -A PREROUTING -i eth1 -p TCP -d <internet IP> --dport 25 -j DNAT --to 10.1.1.2:25
the -t nat says to look in the table nat, the -A PREROUTING says to add to the PREROUTING chain in nat table, the -i eth1 says to watch your internet NIC for incoming packets with TCP protocol (-p TCP) that is directed to your internet ip (-d <INET IP>) with the destination port 25 (--dport 25) and if something matches all this criteria jump to DNAT (-j DNAT) and change the packets destination IP to 10.1.1.25 and the destination port to 25 (--to 10.1.1.2:25). Now with the -j DNAT we jump to this:
iptables -A FORWARD -i eth1 -o eth0 -p TCP -d 10.1.1.2 --dport 25 -j ACCEPT
the -A FORWARD says to add this to the FORWARD chain in the default table 'filter' (since theres no -t, filter is the default table), and now anything incoming to eth1 (-i eth1) over TCP protocol (-p TCP) with the destination IP of 10.1.1.2 (remember we changed the destination ip in the previous command?)(-d 10.1.1.25) and destined for port 25 (--dport 25) will be accepted (-j ACCEPT) and output on eth0 (-o eth0).
Now this completes port forwarding to port 25, but you still need this next command for output.
iptables -t nat -A POSTROUTING -o eth0 -s 10.1.1.0/8 -j SNAT --to-source <INET IP>
in table nat (-t nat), add to the POSTROUTING chain (-A POSTROUTING) look for outgoing packets on eth0 with the source address of 10.1.1.0/8 (-s 10.1.1.0/8)(this needs some explaining which i'll explain below), jump to SNAT (-j SNAT) and change the source IP of the packet to your INET IP (--to-source <INET IP>). What this does is change the source IP so that when someone on the internet try's to reply to you they aren't trying to reply to your LAN IP address which would be invalid to them.
OK now for the 10.1.1.0/8. the /# just means to verify the first # bits of the ip, the first octet (10.) in this case is the first 8 bits, the first and second octet here (10.1.) is the first 16 bits. the first, second and third octects (10.1.1.) are the first 24 bits, and if you want to match the entire ip its the first 32 bits. Pretty simple huh?
Well I figured i'd post this to hopefully help someone out who runs into the problem though i know theres been a lot of posts out there about it, too many don't have answers our answers that arent all that usefull in your paticular case. Plus who knows, knowing myself i'll probally forget and have to refer back here.
Here are a couple sites i found that were usefull that i havent seen posted before:
http://www.yolinux.com/TUTORIALS/Lin...rkGateway.html
this one has a lot of usefull links including the following one which is great for understanding the concept and how the predefined tables work:
http://www.knowplace.org/netfilter/