Help with iptables

Hello everyone,
I’m new to Linux and i would like to ask for some help and some tips.
A client just fired his IT guy, and asked me to take care of the network and the servers, we have 3 server 2 with Windows server and one with OpenSUsE 11.3.
The Linux server work as a firewall/proxy server.
They asked me to do a port fowarding of our StaticIP port XXXX to one of our interna servers in the port 80
The problem is, i don`t know how to do it! I entered the yast>firewall>masquerading and created there the “redirection”.
But do i have to change the settings in other place? Do i have to open this port? I used the port 15500 as a example, but any port will do it for me.

Can someone explain, or help me do this forwarding?

And the last question is, What would you do in my place, would you keep the configurations of the firewall and proxy as it is, or would you start a new one.

Please don`t mind my horrible english and thanks in advance for you help.

#iptables -t nat -nL

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all – 192.168.0.123 0.0.0.0/0
ACCEPT all – 192.168.0.112 0.0.0.0/0
ACCEPT all – 192.168.0.105 0.0.0.0/0
ACCEPT all – 192.168.0.104 0.0.0.0/0
ACCEPT all – 192.168.0.117 0.0.0.0/0
DNAT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:3389 to:192.168.0.3:3389
DNAT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:192.168.0.38:8080
DNAT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:8081 to:192.168.0.39:8081
DNAT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:6036 to:192.168.0.39:6036
DNAT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:6035 to:192.168.0.38:6035
DNAT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:4489 to:192.168.0.3:80
DNAT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:15500 to:192.168.0.3:80
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all – 192.168.0.123 0.0.0.0/0
MASQUERADE all – 192.168.0.112 0.0.0.0/0
MASQUERADE all – 192.168.0.105 0.0.0.0/0
MASQUERADE all – 192.168.0.104 0.0.0.0/0
MASQUERADE all – 192.168.0.117 0.0.0.0/0
MASQUERADE all – 192.168.0.0/24 0.0.0.0/0
MASQUERADE all – 192.168.0.0/24 0.0.0.0/0
MASQUERADE all – 192.168.0.0/24 0.0.0.0/0
MASQUERADE all – 192.168.0.0/24 0.0.0.0/0
MASQUERADE all – 192.168.0.0/24 0.0.0.0/0
MASQUERADE all – 192.168.0.0/24 0.0.0.0/0
MASQUERADE all – 192.168.0.0/24 0.0.0.0/0
MASQUERADE all – 192.168.0.0/24 0.0.0.0/0
MASQUERADE all – 192.168.0.0/24 0.0.0.0/0
MASQUERADE tcp – 0.0.0.0/0 192.168.0.3 tcp dpt:3389
MASQUERADE tcp – 0.0.0.0/0 192.168.0.38 tcp dpt:8080
MASQUERADE tcp – 0.0.0.0/0 192.168.0.39 tcp dpt:8081
MASQUERADE tcp – 0.0.0.0/0 192.168.0.39 tcp dpt:6036
MASQUERADE tcp – 0.0.0.0/0 192.168.0.38 tcp dpt:6035
MASQUERADE tcp – 0.0.0.0/0 192.168.0.3 tcp dpt:80
MASQUERADE tcp – 0.0.0.0/0 192.168.0.3 tcp dpt:80

>>But do i have to change the settings in other place? Do i have to open this port? I used the port 15500 as a example, but any port will do it for me.

The nat table you have shown has the correct redirection for your port in it

DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:15500 to:192.168.0.3:80

This line (above) translates all incoming addresses on dest port 15500 and preroutes them to your server on port 80

MASQUERADE  tcp  --  0.0.0.0/0            192.168.0.3         tcp dpt:80                 

This line (above) allows your firewall to reroute packets to your server. It is a duplicate line because you already have some port redirection to this server (port 4489 is also redirected to port 80 on your server)

>>Can someone explain, or help me do this forwarding?

You will need to study iptables man page and search for tutorials on iptables to fully understand what is involved. The list of rules you have in your nat table (along with rules in filter, mangle and other tables) is used to determine what happens to incoming, forwarded and outgoing packets. There is far too much to cover here. I suggest you google iptables tutorial and read the man page.

>>And the last question is, What would you do in my place, would you keep the configurations of the firewall and proxy as it is, or would you start a new one.

I would leave your configuration as it is - it looks to me like it will work.