IP Networking

I have been tearing my hair out with this (and not enough left to keep going).
I have a linux box (raspberry pi) single ethernet interface in a heavily filtered DMZ with external ports fwd'd that can access an internal IP's (different subnet).
I want to forward the traffic. Should be simple I thought and in fact I have it working using 'nc' as a 'one hit' as follows

Code:

mkfifo backpipe
nc -l 80  0<backpipe | nc 172.16.100.102 80 1>backpipe

But I need this to be a permanent fwd. So after much googling tried to set up iptables to do this.

IP of pi is 192.168.1.8 it has an external IP with management port and port 80 fwd's at the router to the internal ip. The IP of the service I am trying to fwd to is 172.16.100.102 which is accessible as I said above from the PI (but not explicitly in the pi's routing table, just accessible via the default route)

I have enabled fwd'ing on the eth0 interface

Code:

"echo '1' > /proc/sys/net/ipv4/conf/eth0/forwarding"

I have tried several slightly different rulesets but feel the following is the closest

Code:

iptables -t nat -A PREROUTING --dst 192.168.1.8 -p tcp --dport 80 -j DNAT --to-destination 172.16.100.102:80
iptables -t nat -A POSTROUTING -p tcp --dst 172.16.100.102 --dport 80 -j SNAT --to-source 192.168.1.8
iptables -t nat -A OUTPUT --dst 192.168.1.8 -p tcp --dport 80 -j DNAT --to-destination 172.16.100.102:80

this gives me the following info

Code:

root@raspberrypi:/home/pi# iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 1 packets, 78 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.8          tcp dpt:80 to:172.16.100.102:80

Chain INPUT (policy ACCEPT 1 packets, 78 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 2 packets, 152 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.8          tcp dpt:80 to:172.16.100.102:80

Chain POSTROUTING (policy ACCEPT 2 packets, 152 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       tcp  --  *      *       0.0.0.0/0            172.16.100.102       tcp dpt:80 to:192.168.1.8

I know it's working to an extent (that is doing something to port 80) as if I have the port open and logging ( nc -l localhost 80 > log.txt ) and then implement the iptables rules above I can no longer connect to port 80 until I purge the rules again.

I also notice that iptables doesn't seem to actually 'open' the port.
So questions are twofold.
1) do I have to activate a service to open the port so that the iptables rules can then apply or is there a way to have iptables open the port?
2) how do I make this damn thing work?

Any input greatly appreciated.

---------- Post updated at 11:49 AM ---------- Previous update was at 05:29 AM ----------

Could a moderator please move this to the IP Networking Thread ? as I think it would be more relevant there.

---------- Post updated 11-28-12 at 09:25 AM ---------- Previous update was 11-27-12 at 11:49 AM ----------

Managed to get this working much more simply as follows:

Code:

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -s 0/0 -d 192.168.1.8 --dport 80 -j DNAT --to 172.16.100.102:80
iptables -t nat -A POSTROUTING -o eth0 -d 172.16.100.102 -j SNAT --to-source 192.168.1.8