IP forwarding using iptables

I am trying to find out how to use my Linux server as a proxy for VNC (or any app really) for the many workstations I have on my network.

My network is set up like this:

   |- ADSL_Router
      |- Linux
      |- Workstation A
      |- Workstation B
      |-   etc. etc....

I have only one NIC on my Linux server.

I can configure all the forwarding with my ADSL router, but this is a pain in the backside and means I have to use static/reserved IP addresses, which isn't ideal for me.

I run a script every 5 mins which updates my hosts file with all the NetBIOS names, so I can address machines by name.

I've looked hard at iptables, but it's so damn confusing I'm really stuck for ideas.

In plain English, what I want to be able to do is:

Forward a range of ports from my ADSL router, to my Linux box (I can do this).

For one port in this range on the Linux box, forward the packet to a different port on a specific workstation.  And another port to another specific workstation etc.

Any help would be greatly appreciated.

Many thanks,
Steve :)
Who is Participating?
you have to have IP forwarding enabled (echo 1 > /proc/sys/net/ipv4/ip_forward; iptables -A FORWARD -j ACCEPT)

To enable port forwarding from <linux_server_IP>:<port_to_redirect> to <workstation_IP>:<workstation_port> you need to add two rules to iptables:

iptables -A PREROUTING -d <linux_server_IP> -p tcp --dport <port_to_redirect> -j DNAT --to-destination <workstation_IP>:<workstation_port>
iptables -A POSTROUTING -d <workstation_IP> -p tcp --dport <workstation_port> -j SNAT --to-source <linux_server_IP>

the secon rule is important to ensure proper reverse routing and deNATing of packets.
iptables -t nat -A PREROTUNG -p tcp --dport (the port you want to forward) -j DNAT --to-destination (the other machine) --to-dport (the other machine`s port)

That`s what you need to write. Now let us see what we are doing here

iptables (I`m sure you got why this is here)
-t nat - That`s the table with all the rules that has anything to do with nat.
-A - add a rule to a chain called...
PREROUTING - That chain makes manipulation before routing the packet. Well, as you figured, you need to do that before the packet is decided where it`s going. That`s the place to do it
--dport - the destnation port of this packet
-j - that is, jump to this action
DNAT - Chenge the destination of this packet
--to-destanation - well, what can i say about that?
--to-dport - or about that?
sda100Author Commented:
Thank you guruyaya and Blaz.

I used the information you gave me, but both instructions needed tweaking to get them to work.  What you gave me saved me loads of learning time - very explanatory.  For the record, here is my exact solution ( is my adsl router):

iptables -A PREROUTING -t nat -p tcp --dport 8901 -j DNAT --to-destination --to-ports 5900

iptables -A POSTROUTING -t nat -p tcp -d --dport 5900 -j SNAT --to-source

Thank you once again,
Steve :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.