The first 2 rules looks pretty much alright, except for a few typos (looks like you are missing some spaces in front of the -d and -j options, so they would look like:
Code:
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j DNAT --to 192.168.1.4
iptables -A forwarding_rule -i $WAN -p tcp --dport 22 -d 192.168.1.4 -j ACCEPT
I believe that the second set of rules are going to be unnecessary and will definitely cause problems. First, if you DNAT all SSH traffic coming in the LAN interface, then the replies to your clients outside the LAN are going to get DNATed to the router instead (so reply packets would never be able to get back out of the LAN). Second, when SSHing from the LAN directly into the router, you will not need to DNAT that traffic to the IP of the WAN interface. As long as SSHd is listening on all interfaces (which is the default config and netstat will show ::
, then you would not need to forward it from the LAN interface to the WAN interface. It will simply accept the connection on the LAN interface. Also, iptables has the ability to un-DNAT the connection using it's state/connection tracking mechanism so the outbound DNAT is unnecessary.
However, you will need to do some kind of SNAT, otherwise traffic from inside then LAN to remote clients will have IANA-reserved source IPs (192.168.) when they leave the router and likely won't reach the client (even if it did, the client won't know where to send the reply).
If you need more help, make sure to post the entire firewall script (after scrubbing any identifiable IPs).
