linux iptables how to port forward

I have a Linux slackware host acting as a LAN router and DHCP server. That is working fine. I now want to port forward e.g. port 22 from the internet to a host on the LAN.  I haven't quite found what I'm looking for on the web or on EE.

On the router/DHCP-server host I have:

eth0 is the connection to the Internet with a static IP: and a public domain of

eth1 is the LAN interface with static IP This is also the interface for the DHCP server which is started with: /usr/sbin/dhcpd eth1. I also have
/etc/sysctl.conf has: net.ipv4.ip_forward = 1

My iptables startup has:

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

So far, the above is my configuration for setting this computer up as a router for my LAN. As I said, this works fine and the other hosts in the LAN get their IPs from this host and are all on the subnet.


I want Internet requests coming in on port 30038 via eth0 to be routed to, port 22.

That's it! Basically, I want to ssh into the host at by doing:

ssh -p 30038

How do I do that?

(I also want to eventually route ports 80, 443 and 25 to this same host, but I suppose if I can do what I want for 22 I can figure out the rest).
Who is Participating?
Dan CraciunConnect With a Mentor IT ConsultantCommented:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 30038 -j DNAT --to-destination

Please note that you will have to enable NAT first. Here's an article on how to do that:

Dash AmrSenior Specialist(PM)Commented:
ssh -L <local port>:<remote computer>:<remote port> <user>@<remote ip>
Dash AmrSenior Specialist(PM)Commented:
An example is:

ssh -L 6669: foowho

In this example, local port 6669 on the local client computer is tunneled by encrypted SSH over the default port 22 to the router at The router must be set up to forward port 22 to whatever the internal LAN IP (such as of the SSH host is. The host is running OpenSSH (ssdh service) and is set to listen to port 22. It then routes the incoming data to the host port 6667, where presumably some other program is waiting for data. foowho has an account on the host running the OpenSSH server.
jmarkfoleyAuthor Commented:
No, I know how to ssh using a not-port-22. In my original posting I have: ssh -p 30038

My question is how to set up iptables to route Internet request to to LAN host

ALFA007 almost has the idea, but reversed. I don't want to go from router:22 to LANhost:30038, I want to go from router:30038 to LANhost:22. ALFA007's statement, "The router must be set up to forward port 22 to whatever the internal LAN IP (such as of the SSH host is." Yes, how to set up the router? My Linux host *is* the router.
jmarkfoleyAuthor Commented:
DanCraciun: >  you will have to enable NAT first.

I believe that is taken care of. I listed the lines from my iptables config in my original posting:

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

Anyway, your solution did the trick! I was able to forward that port and others to the desired hosts.

One last problem: I think I messed up a convoluted forward of port 25. See my new posting:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.