Thanks again for your insights. It looks like it is working now.
For those who are interested - here's the current set of relevant rules that seem to be working.
# All coming out of DMZ or LAN and all with established connections on any interface
$IPTABLES -A FORWARD -i $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Forward to RTSP in DMZ STREAMING SERVER
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_STREAMING --dport 554 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_STREAMING --dport 7070 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p udp -d $DMZ_STREAMING --dport 554 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p udp -d $DMZ_STREAMING --dport 7070 -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -p udp -d $DMZ_STREAMING --dport 6970:6999 -j ACCEPT
# DNAT to QTSS Server
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p tcp --dport 554 -j DNAT --to-destination $DMZ_STREAMING:554
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p tcp --dport 7070 -j DNAT --to-destination $DMZ_STREAMING:7070
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p udp --dport 554 -j DNAT --to-destination $DMZ_STREAMING:554
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p udp --dport 7070 -j DNAT --to-destination $DMZ_STREAMING:7070
$IPTABLES -t nat -A PREROUTING --dst $INET_IP -p udp --dport 6970:6999 -j DNAT --to-destination $DMZ_STREAMING:6970-6999
# SNAT - Anything heading out the Public interface gets the public IP $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
A working streamed sample can be seen at http://darwin.dswllc.com/sample.html.
Dan Barron
