Port forwarding allows connections from the outside (WAN) to be forwarded to a device on the inside (LAN). I use this to remotely connect to my windows desktop, access my Calibre library etc. To configure the iptables firewall to allow this it’s necessary to understand a little bit more about how packets are handled by the application by studying the diagram above.
This is an example of port forwarding with NAT. Two commands are needed for every service, one to translate the destination address and one to allow the packet through the firewall.
iptables --append PREROUTING \ # append rule to PREROUTING chain -t nat \ # operate on NAT table --in-interface ppp0 \ # for packets received on ppp0 --protocol tcp \ # check TCP --dport 23 \ # match destination port --jump DNAT --to 192.168.11.112:23 # what to do on match (translate destination address) iptables --append FORWARD \ # append rule to FORWARD chain --in-interface ppp0 \ # for packets received on ppp0 --out-interface wlan0 \ # to be sent on wlan0 --protocol tcp \ # check TCP --destination 192.168.11.112 \ # match destination address --dport 23 \ # match destination port --jump ACCEPT # what to do on match (ACCEPT)