When you forward a port to an internal machine on the network, you still can’t access that host using your WAN-IP from within the LAN. This article explains it well. In short, it’s because the reply the machine your connecting to makes, goes to the LAN IP directly, and not back through the router.

To fix it, we need to add a SNAT rule for that port forward as well. In the example that we want to forward port 80 to 10.50.0.4 on our 10.50.0.0/16 LAN and 10.50.0.1 is our router, these two rules are necessary:

iptables -t nat -A PREROUTING -d WANIP -p tcp --dport 80 -m comment --comment "Forward www to 10.50.0.4." -j DNAT --to-destination LANIP
iptables -t nat -A POSTROUTING -p tcp --source 10.50.0.0/16 --dest 10.50.0.4 --dport 80 -j SNAT --to-source 10.50.0.1 --match comment --comment "Allow our LAN to access port 80 from the WAN side as well."

Normally when forwarding, I would not use -d WANIP, but –in-interface eth0, but that won’t work here, because the LAN requests are not on eth0.

Also, the –source in the second rule is not strictly necessery, but if you don’t specify this rule, it will also match incoming requests for the internet, which is ugly, especially if you have logging rules.