experiment in lab
ext device: eth3 , 202.116.77.131 , 255.255.254.0
inter device: eth2, 172.16.200.4, 255.255.255.0
ftp ip: 172.16.200.89
to forward a ftp to ext net
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
iptables -t nat -A PREROUTING -d 202.116.77.131 -p tcp --dport 21 -j DNAT --to 172.16.200.89
iptables -A FORWARD -o eth2 -d 172.16.200.89 -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i eth2 -s 172.16.200.89 -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth2 -s 172.16.200.89 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o eth2 -d 172.16.200.89 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -d 172.16.200.89 -p tcp --dport 21 -j SNAT --to 172.16.200.4
to let inter network to ext
iptables -t nat -A POSTROUTING -s 172.16.200.0/255.255.255.0 -o eth3 -j MASQUERADE
another tips:
cleaning the prev setting
iptables -F
iptables -Z
iptables -X
iptables --table nat --flush
view the current setting
iptables --list
to enable the ip forward function (in debian)
uncomment the related line in /etc/sysctrl.conf
