Simple Port Forwarding on IPTABLES over NAT-T

Assuming you have:

Machine 1 with WAN and LAN interfaces running IPTABLES with NAT-T
Machine 2 with only LAN interface

Machine 1 WAN interface is WAN_IF
Machine 2 LAN interface is LAN_IF
Machine 2 LAN IP is DEST_IP
Machine 1 Port that is being forwarded is FWD_PORT
MAchine 2 Port that is being forwarded to is DEST_PORT

You want to to forward ports on Machine 1 to Machine 2.

Here's a snippet that can be added to /etc/sysconfig/iptables that does that.

In the *nat block, after the NAT-T lines:
-A PREROUTING -d WAN_IP -i WAN_IF -p tcp -m tcp --dport FWD_PORT -j DNAT --to-destination DEST_IP:DEST_PORT
-A POSTROUTING -s DEST_IP -o WAN_IF -j SNAT --to-source WAN_IP
#-A POSTROUTING -o LAN_IF -p tcp --dport FWD_PORT -d DEST_IP -j SNAT --to DEST_IP**
COMMIT

**If machine 2 is NOT set up to use Machine 1 as a gateway, then uncomment that line.

In the *filter block:
-A FORWARD -d DEST_IP -i WAN_IF -o LAN_IF -p tcp -m tcp --dport FWD_PORT -m state --state NEW -j ACCEPT
COMMIT

And you're done.

I usually use VNC to test this. Install VNC on the LAN Machine 2, use port 5900 as the DEST_PORT and FWD_PORT and test.