If you have sane filtering rules (same as IOS access-list), you will also have to open up the FORWARD chain for inbound traffic:
iptables -A FORWARD -i <your inet iface> --destination 192.168.1.1 -p tcp --dport 3306 -j ACCEPT
reading the iptables man pages fills in most of the important stuff, and if that isn't enough, you could always read the documentation on netfilter.org for more info than you'll need.
Paul Fontenot wrote:
Not sure what the ipfilter lingo is for what i want to do so I will demonstrate with a Cisco PIX ACL.
access-list outside_access_in permit tcp any host 1.1.1.1 eq 3306
There would be a static for the 1.1.1.1 address:
static (inside,outside) 192.168.1.1 1.1.1.1
Where the MySQL server is running on host 192.168.1.1 and that ip is mapped via a static translation to 1.1.1.1 on the PIX's outside interface.