Hi, I have a DSL router that has a public IP 1.2.3.4 and it nat to a subnet 10.0.0.x, and under this net there's a slack 12.1 server (configured as DMZ) with two eths, eth0: 10.0.0.253 linked to router lan and eth1: 192.168.1.254, linked to another subnet (the real local lan whith some PCs).
The slack server is configured to nat subnet 192.168.1.254, to allow PCs browsing.
Now I had to forward a port from ext public IP (ex. port 8080) to an application server that is on the lan 192.168.1.x, and this machine has IP 192.168.1.10 (and the destionation port is for example port 23)
I used this script, but it doesn't work, have someone some suggestions on it? Thanks in advance!

#!/bin/sh
# setting vars
IPTABLES="/usr/sbin/iptables"
IP0=`10.0.0.253`
IP1=`192.168.1.254`
INTIP='192.168.1.10'
echo "1" > /proc/sys/net/ipv4/ip_forward

# startup rules
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

# forward the traffic from the local network (MASQ)
$IPTABLES -t nat -A POSTROUTING -o eth0 -s $LRN/24 -d 0/0 -j MASQUERADE

# forward specified port
$IPTABLES -t filter -A INPUT -i eth0 -p tcp -d $IP0 --dport 8080 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -d $IP0 --dport 8080 -j DNAT --to $INTIP:23
$IPTABLES -A FORWARD -i eth0 -p tcp -d $INTIP --dport 23 -j ACCEPT

hi,

not too clear. on which machine did you put the script? eth 1 router or the DMZ slack?
'if' this script was on the router,
and assuming eth0 is internet-facing NIC, then
you dont need -d $IP0 - it will go nowhere since the incoming interface (internet) only know 1.2.3.4, and that -d $IP0 represents private address which is not internet-routable.

and, a bit complicated - but you should do a double DNAT which are 1 for the 1 router pointing to DMZ slack, and 1 for the DMZ slack pointing to internal server.

HTH.

Thanks rossonieri#1 for answer,
I'm on the slack server and I just found the answer: the unix server on the lan 192.68.1.x (I don't have a login on it...) has no default gateway (In fact I saw packets on two eths with tcpdump correctly formed...).
The two rules:
are correct and now all rocks; I hope may be useful for someone.