I have posted previously about using ipmasq and dnsmasq to perform internet connection sharing on a Linux system. Another task I needed to perform was to forward a port on one machine (the machine with the direct internet connection) to a machine on the internal network. Google returns plenty of results for all the ways I could think of to search for this, but none of them were straightforward. Forwarding incoming web or ssh requests seems, to me, like a very common activity.
I ended up using the two $IPTABLES lines from this page in the /etc/ipmasq/rules/F00chain.rul rule file for ipmasq. They ended up taking the following form:
$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp –dport 80 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d 220.127.116.11 –dport 80 -m state –state NEW,ESTABLISHED,RELATED -j DNAT –to 192.168.0.2:80
where 18.104.22.168 is the internet-visible IP address, and 192.168.0.2 is the web server box on the intranet. Note that this example has eth0 connected to the internet and eth1 to the intranet, with eth1 having an IP address like 192.168.0.1.