The man page is not very clear to me on howto do POSTROUTING of port to some internal machines. What I am trying to do is port forward 2090 to some of my intranet machines. Man page says this

DNAT
--to-destination ipaddr[-ipaddr][ort-port

could someone be able to show me the correct way to write
this. This is what I have and it works for one machine only.

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2090 -j DNAT --to-destination 192.168.1.2:2090

man page says this, but I recieved an error about the first ip.
iptables -t nat -A POSTROUTING -i eth0 -p tcp --dport 2090 -j DNAT --to-destination 192.168.1.2 -192.168.1.3:2090


I tried this and it has no errors but it don't work.

iptables -t nat -A POSTROUTING -i eth0 -p tcp --dport 2090 -j DNAT --to-destination 192.168.1.2-192.168.1.3:2090

help will be !!!

I don't see how this can be possible

if you give a range of ports it should work

192.168.1.2-192.168.1.3:2090-2091



basically I know what you are trying to do. If a server requires a certain port to make a connection on, you can only have one connection to it per ip address.

Your first rule is correct...
DNAT will go to one machine...
using the PREROUTING chain, notice the 'PRE'...

The other two rules are "POSTROUTING" for packets leaving the box... notice the 'POST'... DNAT doesn't work in this chain.

What are you trying to achieve?

you don't need multiport
just add PREROUTING entryies for every ip but I doubt it will work fine, ususaly thing are done so that you map different port at server for each client (but your software need to have option to alter ports) ie
2029 get routed to 192.168.1.10:2028
2030 gets routed to 192.168.1.10.2028
and so on

peter_robb you are right, I have them right in my scvript. I just placed them wrong here, sorry.

I figured that adding this line would enable the port open for all machines on the network.

iptables -A INPUT -p tcp -syn --destination-port 2090 -j ACCEPT

but hey I don't have to open port 21 to ftp fron ie whats up here?