Hi there

This is my second post for this issue.
I have been trying to do NAT throug firewall box, but I can't make itworks.
Let me explain my need

Public Ip --------Firewall------- Internal Ip
200.69.219.229 192.168.5.1

I need to listen on port 4000 in the firewall (not opened yet, cause no service use it, the real service resides in the internal machine), and forward that to an internal IP, 192.168.5.2 por 4000. I think you call this NAT

Problems.
1) I need to open port 4000, don't know how
2) I need to forward packets that reach 200.69.219.229:4000 to 192.168.5.2:4000.

For point 2, I have tryed this

iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 4000 -j DNAT --to 192.168.5.2:4000

with no success at all

If anyone can help me with this, I'll be pleased

Thanks in advance

Christian

Looking at your iptables rule you are very close the solution....
The iptables rule you've used it states 'all the packets sent to the firewall's eth0, to port 4000 should have changed destination address' and looks ok.
But you need also:
a. allow this packet to be forwarded
c. allow returning packet(s) to be forwarded back
So you need to add at least:
1. iptables -A FORWARD -j ACCEPT
2. set the kernel for packet forwarding with command 'echo 1 > /proc/sys/net/ipv4/ip_forward'
3. take care of the source address for the forwarded back packets (POSTROUTING with MASQUERADE or SNAT target).
Look: your rule changes the destination address. (The source is constat). So your internal box can see where to send 'response'. And the host which sent the request will get the 'response'. But it will ignore it since it will get it not from host it asked for. Therefore you need (3)

Of course, you can complicate above 'forward' and 'postrouting' rules. For instance you can block non-to-4000-port packets, trace them with '--state' switch etc.

BTW: 'Open' port means nothing else than accepting the packets sent to this port.

The iptables is very simple and logical. Read this.