Since you're using UFW, first make sure the UFW rule for port 56000
that you added is not a regular input rule, but instead a "route" (aka forwarding) rule, like this (assuming it's for a TCP port; replace tcp
with udp
for UDP):
ufw route allow proto tcp to 10.66.66.2 port 56000
Then you need an iptables rule like this for each port you want to forward (where eth0
is the name of your WAN interface):
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 56000 -j DNAT --to-destination 10.66.66.2
If you have a bunch of individual ports you want to forward, you can put them all (up to 15 ports) in the same rule using the --dports
flag (note the s
) of the multiport
module:
iptables -t nat -A PREROUTING -i eth0 -p tcp -m multiport --dports 123,456,789 -j DNAT --to-destination 10.66.66.2
And since you're using UFW, you probably want to put your PREROUTING
rules in the *nat
block of your /etc/ufw/before.rules
config file, like this (assuming you probably already have something similar to the POSTROUTING
rule there):
# /etc/ufw/before.rules
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp --dport 56000 -j DNAT --to-destination 10.66.66.2
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
If you don't already have a *nat
block in your /etc/ufw/before.rules
file, add it at the end of the file. Restart UFW after you make the changes.