Sounds like your linux host has one interface already exposed to the internet (eth0), so I think the issue is there are too many NAT rules. You don't need to do any NAT at all to allow access to your linux webserver. So get rid of these two rules:
Code:
-A PREROUTING -d 456.38.88.172 -i eth0 -p tcp -m tcp --dport 90 -j DNAT --to-destination 456.38.88.172:90
-A PREROUTING -d 456.38.88.172 -i eth0 -p tcp -m tcp --dport 90 -j DNAT --to-destination 456.38.88.172
then the one rule you already have:
Code:
-A INPUT -d 456.38.88.172 -p tcp -m tcp --dport 90 -m state --state NEW -j ACCEPT
...will allow the inbound requests to port 90 just fine (and the ESTABLISHED,RELATED match will handle the connections once they get going).
Also, get rid of this rule:
Code:
-A POSTROUTING -o eth0 -j MASQUERADE
since outbound SNAT from your windows vm is handled by the very next SNAT rule. And you can also get rid of this one:
Code:
-A POSTROUTING -s 456.38.88.172 -o eth0 -j SNAT --to-source 456.38.88.172
Since it just does SNAT to the same source IP.
When you get this working, change at least your default INPUT policy to DROP. If this is also acting as a firewall for internal hosts (i.e. if it is forwarding traffic to other physical hosts), the default policy on the FORWARD chain should also be DROP. And if you leave your OUTPUT policy as ACCEPT, then you don't need any of the OUTPUT chain state rules. You want to be precise in the traffic you allow, and drop everything else - just get your setup working first before you do that. I have some commented iptables scripts that might be a good reference for you, see
http://blog.unixlore.net/2006/03/lin...l-scripts.html .
If this doesn't work, I would verify that inbound port 90 traffic is actually getting to your linux box, using tcpdump.
Code:
tcpdump -n -i eth0 tcp port 90 and host <source IP address>