I am trying to configure the iptable to do port forwarding for certain request. The scenario is like this:

Login node A can be accessed from outside. Compute node B running the service can be accessed from A but not from outside. I want to set up iptables so that a request for the service on B from outside can be accessed through A.

A has two ethernet ports: Internal eth0, with ip internal_A and External eth1, with ip external_A.

B has 1 ethernet port, internal eth0. let's say its ip is internal_B

The service listens to internal_B:5900. We open external_A:10000 for user access.

I configure my iptables with the following commands which was copied from some existing system:

1. echo 1> /proc/sys/net/ipv4/ip_forward
2. /sbin/iptables -P FORWARD ACCEPT
3. /sbin/iptables -t nat -A POSTROUTING -j MASQUERADE
4. /sbin/iptables -A PREROUTING -p tcp -t nat --dport 10000 -j DNAT --to-destination interal_B:5900
5. /sbin/iptables -A OUTPUT -p tcp -t nat -d external_A --dport 10000 -j DNAT --to-destination internal_B:5900

But it didn't work. The client always receive the following error message:

Network error: could not connect to server: Hostname_A:10000

Can anybody please help.

Thanks in advance.

Do you have a rule to allow RELATED,ESTABLISHED traffic?
You should have an output specified for your MASQUERADE rule
Does the server your natting to have the firewall as its gateway?

Just solved by specifing the input interface "-i eth1 " to command 4:

4. /sbin/iptables -A PREROUTING -p tcp -t nat -i eth1 --dport 10000 -j DNAT --to-destination interal_B:5900

although I don't know why this works.