Forward all traffic to a host on the internal network with iptables

Question

This rule forwards port 80 to a host on the internal network:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.3.222:80

I want to forward all traffic regardless of the port (with n:n mapping) to an internal host. I have tried

iptables -t nat -A PREROUTING -p tcp -j DNAT --to-destination 10.0.3.222

but this doesn't work: the connection timed out.

This rule is part of a more complex chain. My goal is to allow connections to some services on the router (ssh, dns) and forward all other connections to an internal host. The complete chain setup looks like this:

iptables -t nat -A PREROUTING -m addrtype --dst-type local -j dnat-chain

iptables -t nat -A dnat-chain -p tcp --dport 22 RETURN
iptables -t nat -A dnat-chain -p udp --dport 53 RETURN
...
iptables -t nat -A dnat-chain -p tcp -j DNAT --to-destination ...

I added the same chain to OUTPUT to be able to initiate connections from router to internal services:

iptables -t nat -A OUTPUT -m addrtype --dst-type local -j dnat-chain

EDIT

Here is the initial state of the nat and filter tables:

$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i lxcbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -i lxcbr0 -p udp -m udp --dport 67 -j ACCEPT
-A FORWARD -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -j ACCEPT

$ sudo iptables -S -t nat
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-A POSTROUTING -s 10.0.3.0/24 ! -d 10.0.3.0/24 -j MASQUERADE

lxcbr0 is connected to 10.0.3.0/24

Answer 1

I solved the problem by adding the following rule to the chain:

iptables -t nat -I dnat-chain -i lxcbr0 -j RETURN