> iptables -t nat -A PREROUTING -d X.X.X.X -p tcp --dport 22 -j DNAT \ > -- to 192.168.1.89:2222 (ares) > > iptables -t nat -A PREROUTING -d X.X.X.X -p tcp --dport 22 -j DNAT \ > -- to 192.168.1.90:22222 (zeus) If X.X.X.X in that first rule == X.X.X.X in that second rule--the second rule will never be matched. You're giving netfilter 3 pieces of information to use to decide whether you have a match: Protocol = TCP Dest IP = X.X.X.X Dest Port = 22 Given those conditions, how will it skip the first rule and make it to the second? I would reverse your theory. Let the hosts on the inside listen on the standard SSH port (TCP 22), and use different ports on the external side: iptables -t nat -A PREROUTING -d X.X.X.X -p tcp --dport 2222 -j DNAT \ --to 192.168.1.89:22 (ares) iptables -t nat -A PREROUTING -d X.X.X.X -p tcp --dport 2223 -j DNAT \ --to 192.168.1.90:22 (zeus) And then use: ssh -p 2222 X.X.X.X to connect to ares And: ssh -p 2223 X.X.X.X to connect to zeus -j
