There exist a lot of iptables tutorials in the net; simply search for
linux iptables tutorial or
linux iptables how-to. This is a very bare-bones summary:
The iptables system has several groups or "tables" that apply traffic control in diverse points of the network system. The main ones are *nat, *filter and *mangle. The rules for controlling access should be in the *filter table; rules for changing packet content are added in the *mangle table, and rules that redirect packets (changing source/destination addresses or ports) should be in the *nat table.
Each table has several rule lists or "subroutines" named "chains" ("chains of rules") for grouping logically where and when to apply the rules. For example, the *filter table has the chains INPUT, OUTPUT and FORWARD chains for controlling packets arriving to this host, exiting to another hosts or only passing thru.
The rules in any chain are processed in order of appearance. To simplify and organize the logical arrangement of rules you can create more chains (like the chains DOCKER, SYSNAT, etc. in your config).
Each rule stored in a table/chain has a selector section to indicate the values of the packet to be checked and a target section to specify the action taken if the packet data matches the selector. For example, this command APPENDS (-A) a rule in the filter/INPUT chain that checks if the arriving packet has the protocol TCP port 22 (ssh) and accepts it:
Code:
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
The active list of rules can be obtained using the command
iptables-save and saved to a file using
iptables-save > filename and restored (as you already know) with the opposite command
iptables-restore < filename.
So the rules you need should be in the *nat section, that have two main chains: PREROUTING and POSTROUTING. As you need to change the destination of packets BEFORE send them where they must go, the rules should be in the PREROUTING chain.
In your case we already know the table/chain; the selector must be the arriving data 192.168.0.7 port 443 (HTTPS, this protocol is encapsulated in TCP). The target should be to change the destination address and port. So, in the *nat section you should add:
Code:
*nat
:
-A PREROUTING -d 192.168.2.0.7 -p tcp --dport 443 -j DNAT --to-destination 192.168.0.202:443
I recommend to read the local documentation using
man iptables to check the meaning of the options and how to specify them.
Good luck.