Dear Forum,

Please help, i have some problem, when forwarding my Public IP to Local IP
i already set NAT like manual, but still cannot reach my Local Server from Public IP

the code :
chain=dstnat action=dst-nat to-addresses=192.168.0.252 to-ports=8081
protocol=tcp dst-address=222.124.139.xxx dst-port=8081

Thanks,

That looks about right. How are you testing? Where is the test machine located in relation to the target server? Also, post the output of "/ip address print detail", "/ip route print detail", "/interface print", "/ip firewall export", and an accurate network diagram.

That looks about right. How are you testing? Where is the test machine located in relation to the target server? Also, post the output of "/ip address print detail", "/ip route print detail", "/interface print", "/ip firewall export", and an accurate network diagram.

Hi Fewi,

I try with http://222.124.139.aaa:8081 with my PC (192.168.0.21)
if i try like this http://192.168.0.252:8081 it can access the web server

[ptpm@PTPM] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.0.1/24 192.168.0.0 192.168.0.255 Local
1 222.124.139.xxx/29 222.124.139.yyy 222.124.139.zzz Internet

[ptpm@PTPM] /ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 222.124.139.193 1
1 ADC 192.168.0.0/24 192.168.0.1 Local 0
2 ADC 222.124.139.xxx/29 222.124.139.aaa Internet 0

[ptpm@PTPM] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
0 R Internet ether 1500 1526
1 R Local ether 1500 1524
2 ether3 ether 1500 1524
3 ether4 ether 1500 1524
4 ether5 ether 1500 1524

[ptpm@PTPM] /ip firewall> export
# jun/14/2011 14:39:06 by RouterOS 4.10
# software id = G4R8-KFHV
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="Added by webbox" disabled=no protocol=\
icmp
add action=accept chain=input comment="Added by webbox" connection-state=\
established disabled=no in-interface=Internet
add action=accept chain=input comment="Added by webbox" connection-state=\
related disabled=no in-interface=Internet
add action=drop chain=input comment="Added by webbox" disabled=no \
in-interface=Internet
add action=jump chain=forward comment="Added by webbox" disabled=no \
in-interface=Internet jump-target=customer
add action=accept chain=customer comment="Added by webbox" connection-state=\
established disabled=no
add action=accept chain=customer comment="Added by webbox" connection-state=\
related disabled=no
add action=drop chain=customer comment="Added by webbox" disabled=no
/ip firewall mangle
add action=mark-packet chain=output comment="Hit Traffic From Proxy" \
disabled=no dscp=4 new-packet-mark=Proxy-Hit out-interface=Local \
passthrough=no
add action=mark-packet chain=prerouting comment="Up Traffic" disabled=no \
in-interface=Local new-packet-mark=Test-Up passthrough=no src-address=\
192.168.0.0/24
add action=mark-connection chain=forward comment="Mark Conn" disabled=no \
new-connection-mark=Test-Conn passthrough=yes src-address=192.168.0.0/24
add action=mark-packet chain=forward comment=Down-Direct connection-mark=\
Test-Conn disabled=no in-interface=Internet new-packet-mark=Test-Down \
passthrough=no
add action=mark-packet chain=output comment="Down-Via Proxy" disabled=no \
dst-address=192.168.0.0/24 new-packet-mark=Test-Down out-interface=Local \
passthrough=no
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=redirect chain=dstnat comment="" disabled=no dst-port=80 \
in-interface=Local protocol=tcp src-address=192.168.0.0/24 to-ports=8080
add action=redirect chain=dstnat comment="" disabled=no dst-port=3128 \
in-interface=Local protocol=tcp src-address=192.168.0.0/24 to-ports=8080
add action=redirect chain=dstnat comment="" disabled=no dst-port=8000 \
in-interface=Local protocol=tcp src-address=192.168.0.0/24 to-ports=8080
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=no src-address=222.124.139.xxx/29
add action=masquerade chain=srcnat comment="Added by webbox" disabled=no \
out-interface=Internet
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=\
222.124.139.aaa dst-port=8081 protocol=tcp to-addresses=192.168.0.252 \
to-ports=8081
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

diagram : Internet - Modem - Mikrotik - Switch - User, Web server

Thanks,

http://wiki.mikrotik.com/wiki/Hairpin_NAT

I already use like the wiki tell, but still cannot

If i access my public ip like http://public ip even i give the different port like http://public ip:8081 its work

but if forward to local IP cannot


Any suggestion ...

Thanks,

http://wiki.mikrotik.com/wiki/Hairpin_NAT

I already use like the wiki tell, but still cannot

If i access my public ip like http://public ip even i give the different port like http://public ip:8081 its work

but if forward to local IP cannot


Any suggestion ...

Thanks,

You either did not read the link I posted, or didn't implement it right. The configuration you posted only reflects NAT, not hairpin NAT.
You also need to permit that traffic in the forward chain in your firewall filters.

Thanks,[/quote]
You either did not read the link I posted, or didn't implement it right. The configuration you posted only reflects NAT, not hairpin NAT.
You also need to permit that traffic in the forward chain in your firewall filters.[/quote]

Dear Fewi,

I really have no idea,

would you give the code regarding this issue

Thanks,

Hi,

I get the same problem on my RB750G with RouterOS 5.2. Here is my related configuration.

/ip firewall filter
add action=accept chain=input connection-state=established disabled=no \
in-interface=ether1
add action=accept chain=input connection-state=related disabled=no \
in-interface=ether1
add action=accept chain=input disabled=no in-interface=ether1 protocol=icmp
add action=accept chain=input disabled=no dst-port=220,443 in-interface=\
ether1 protocol=tcp
add action=drop chain=input disabled=no in-interface=ether1

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=ether1 \
src-address=10.32.1.0/24
add action=masquerade chain=srcnat disabled=no out-interface=ether1 \
src-address=10.32.0.0/24
add action=redirect chain=dstnat disabled=no dst-port=80 in-interface=ether5 \
protocol=tcp to-ports=8080
add action=redirect chain=dstnat disabled=no dst-port=80 in-interface=ether4 \
protocol=tcp to-ports=8080
add action=masquerade chain=srcnat disabled=no out-interface=ether1 \
src-address=10.32.2.0/24
add action=redirect chain=dstnat disabled=no dst-port=80 in-interface=ether3 \
protocol=tcp to-ports=8080
add action=dst-nat chain=dstnat disabled=no dst-address=<public IP> \
dst-port=443 in-interface=ether1 protocol=tcp to-addresses=10.32.2.1 \
to-ports=443

/ip service
set telnet disabled=yes port=23
set ftp disabled=yes port=21
set www disabled=yes port=80
set ssh disabled=no port=220
set www-ssl certificate=none disabled=yes port=443
set api disabled=yes port=8728
set winbox disabled=no port=8291

Ether1 is connected to Internet with public IP, Ether2 is connected to private WAN, Ether 3 is connected to some servers, Ether4 and Ether5 are connected to LAN (2 segments). Everything is OK except the port forwarding of port 443 to my SSL server. The counter on this NAT rule is never moving. As configured, there is no enabled service using port 443 and this port is allowed by firewall. Please help on this.

Best regards,

Hi,
I am also trying to access website hosted by IIS using this manual:

http://wiki.mikrotik.com/wiki/Hairpin_NAT

I can access it from local network using

192.168.88.xxx/mywebsite

I added those 3 rules that are given on the link provided, and I am still unable to access it. I am trying with

90.x.x.x/mywebsite - this one gives Error 404: Not Found
90.x.x.x - no response!

If I disable the first rule I have added, I am able to access web page for mikrotik router configuration.
If I set in-interface to my pppoe interface, I am again able to access mikrotik router web configuration.

So, why I cant access it using

PublicIP/mywebsite

and also how can I disable login to my router from public IP address? In NAT I have additional default srcnat masquerade rule.

Thanks,
Goran

HI all

This is quite simple

Firewall>Nat> add chain=dstnat dst-address=the public ip protocol=tcp action netmap to-addresses= the local ip to-ports=0-65535

Dont forget to add the public ip on your own address list

Hope this helps

HI all

This is quite simple

Firewall>Nat> add chain=dstnat dst-address=the public ip protocol=tcp action netmap to-addresses= the local ip to-ports=0-65535

Dont forget to add the public ip on your own address list

Hope this helps

Hi Zizobaddy, Im having this problem with forwarding some IP from the public ip to a local (to RD and access to internal web server)

I try with these two roules:

Firewall>Nat> add chain=dstnat dst-address="the public ip" protocol=tcp Dst. Port="the port" action netmap to-addresses= "the local ip" to-ports="the port"
and
Firewall>Nat> add chain=dstnat dst-address="the public ip" protocol=tcp Dst. Port="the port" action dst-nat to-addresses= "the local ip" to-ports="the port"

I'm testing with an RD that it was working with another Device (NFGW), both see the packages and traffic, but its not working.

Thanks.

Please, could someone help me with this problem. I can´t set that, to redirect some port (RDP, PPTP connections to another internal mikrotik and http redirection to an internal web server).

Thanks

Does the mikrotik have the public IP assigned itself? Or is it behind the ISP router?

Hi Pukkita.

The Mikrotik have the Public IP in their own Wan interface (ether 1).

The strangest thing is that I see the traffic in the Nat roules, but cant establish the RDP connection or get into to the web (in the web server)

Try, Add one NAT rule
chain=src-nat action=masquerade dst-address=the local ip

Hi kangndo, I add the Route that you mentioned, but it looks like nothing change. I see the packages but can´t see the Web server (going to the public IP:8000).



Thanks.

Hi kangndo, I add the Route that you mentioned, but it looks like nothing change. I see the packages but can´t see the Web server (going to the public IP:8000).



Thanks.

What is the wan connection method, pppoe client?
Try,
Firewall>Nat> add chain=dstnat in-interface="pppoe client interface" protocol=tcp Dst. Port="the port" action dst-nat to-addresses= "the local ip" to-ports="the port"

Hope this helps

I have a public static IP configured in the Ether1 interface (190.2.37.X), and is wired to a Modem. I have a Gatway address (190.2.37.(X+1)) in the same submask than my public IP. Is this a PPPOE?

It doesn't work, but now when i write the public IP in the page and do not show I do not see the packages going trough this policy (the one you mentioned)

I Test making the same, but in the internal network. I set if an internal IP try to go the Local IP:8000 redirect (dst-nat) to the local ip (10.0.0.201:80), but doesent work too....

/ip firewall nat> add chain=dstnat src-address=10.0.0.37 dst-address=190.2.37.X protocol=tcp dst-port=8000 action=dst-nat to-addresses=10.0.0.201 to-ports=80

And happen the same, dont redirect the web interface and see the packages going through....

Any advice?

Thanks.

Hi to everyone.

Im lookin about the logs when I try to connect to the local web server from the Local IP:port. And I See this.

10:43:17 firewall,info forward: in:ether6 out:ether6, src-mac 28:d2:44:a8:58:96, proto TCP (SYN), 10.0.0.228:53914->10.0.0.201:80, len 52
10:43:17 firewall,info forward: in:ether6 out:ether6, src-mac 28:d2:44:a8:58:96, proto TCP (SYN), 10.0.0.228:53915->10.0.0.201:80, len 52
10:43:17 firewall,info forward: in:ether6 out:ether6, src-mac 28:d2:44:a8:58:96, proto TCP (SYN), 10.0.0.228:53916->10.0.0.201:80, len 52

Im 10.0.0.228 and the web server is on 10.0.0.201.

I don't know why appear the :53914 port if I am trying to accede to the web interface from 8000 port.

Thanks

53194 is your source port, your machine will randomly use those available. Port 8000 is the destination port.

That log means your firewall filter is blocking the connection.

Ya casi está!

53194 is your source port, your machine will randomly use those available. Port 8000 is the destination port.

That log means your firewall filter is blocking the connection.

Ya casi está!

Hey Pukkita,
I created the policy from the log

IP > Firewall > Filter > add new chain:forward Dst. Address: 10.0.0.201 Prot: 6(tcp) Desport: 80 Out Interface: ether6 action:accept. (do not declare the In interface because I want to be reachable from the outside)

It start catching the package (when try to get this web from the public IP), but still unreachable...

Any idea?

https://www.youtube.com/watch?v=9YeUqyyP0Cs

Did just change the Browsend and works?

Looks like the same that is happening to me... (with the diference im with http, and he is with https)

https://www.youtube.com/watch?v=9YeUqyyP0Cs

Did just change the Browsend and works?

Looks like the same that is happening to me... (with the diference im with http, and he is with https)

Sorry Alxis

I just saw your post

Have you been able to resolve your problem?

If not let me know pls

I'm having the same problem. My $40 routers from walmart do a better job setting up port forwarding with harpin.
Why on earth would hairpin not work by default? We're setting up port forwarding to access a machine from outside the LAN. Would it ever make sense to deny the same request because someone happens to be inside the LAN?

https://www.youtube.com/watch?v=9YeUqyyP0Cs

Did just change the Browsend and works?

Looks like the same that is happening to me... (with the diference im with http, and he is with https)

Sorry Alxis

I just saw your post

Have you been able to resolve your problem?

If not let me know pls

Hi, I wasent able to made in my work (i recieve some UTM unit).

I have to try if it works in my home Mikrotik (for using XBONE Streamming.

I'm having the same problem. My $40 routers from walmart do a better job setting up port forwarding with harpin.
Why on earth would hairpin not work by default? We're setting up port forwarding to access a machine from outside the LAN. Would it ever make sense to deny the same request because someone happens to be inside the LAN?

Because walmart device is a (sort of) "firewall" and has predefined lan/wan sides and his job is to facilitate non professional users.
Mikrotik/ros is a (multi purpose) router which can handle many network scenarios; skilled enough people can fine tune configuration to achieve what they want/need without precooked hidden rules.

https://www.youtube.com/watch?v=9YeUqyyP0Cs

Did just change the Browsend and works?

Looks like the same that is happening to me... (with the difference I am with http, and he is with https)

Sorry Alxis

I just saw your post

Have you been able to resolve your problem?

If not let me know pls

Hi Zizobaddy,

Now I am having the same issue in another RB (in my home).
I really don't know what i am doing wrong. Tried changing the "in. interface" and "dest address" but nothing works....

The weirdest thing, is that the RB see the packages (in the Firewall Nat) but don't link the connection

I will copy here the print asked in some previous post.

/ip address print detail
0 ;;; default configuration
address=192.168.88.1/24 network=192.168.88.0 interface=WAN
actual-interface=WAN

1 address=192.168.0.1/24 network=192.168.0.0 interface=CAIB LAN
actual-interface=CAIB LAN

2 address=192.168.10.1/24 network=192.168.10.0 interface=2nd Floor
actual-interface=2nd Floor

3 D address=A.B.C.D/24 network=A.B.C.0 interface=WAN
actual-interface=WAN



/ip route print detail
0 ADS dst-address=0.0.0.0/0 gateway=A.B.C.D
gateway-status=A.B.C.D reachable via WAN distance=0
scope=30 target-scope=10 vrf-interface=WAN

1 ADC dst-address=A.B.C.0/24 pref-src=A.B.C.D55 gateway=WAN
gateway-status=WAN reachable distance=0 scope=10

2 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=CAIB LAN
gateway-status=CAIB LAN reachable distance=0 scope=10

3 ADC dst-address=192.168.10.0/24 pref-src=192.168.10.1
gateway=2nd Floor gateway-status=2nd Floor reachable distance=0
scope=10

4 ADC dst-address=192.168.88.0/24 pref-src=192.168.88.1 gateway=WAN
gateway-status=WAN reachable distance=0 scope=10


/ip firewall export
add address=192.168.0.0/24 list="CAIB LAN"
add address=192.168.0.1 list="CAIB RB"
add address=192.168.0.5 list=XBONE
add address=192.168.0.15 list=ALIEN
add address=192.168.0.10 list=BMU
/ip firewall nat
add action=masquerade chain=srcnat comment="Gateway CAIB" \
out-interface=WAN src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="Gateway Analia" \
out-interface=WAN src-address=192.168.10.0/24
add action=masquerade chain=srcnat out-interface=WAN
add action=dst-nat chain=dstnat comment="XBONE STREAMMING" protocol=tcp \
src-port=5050 to-addresses=192.168.0.5 to-ports=5050
add action=dst-nat chain=dstnat protocol=tcp src-port=4838 \
to-addresses=192.168.0.5 to-ports=4838
add action=dst-nat chain=dstnat protocol=udp src-port=5050 \
to-addresses=192.168.0.5 to-ports=5050
add action=dst-nat chain=dstnat protocol=udp src-port=4838 \
to-addresses=192.168.0.5 to-ports=4838
add action=dst-nat chain=dstnat comment="ALIEN STEAM" protocol=udp \
src-port=4380 to-addresses=192.168.0.15 to-ports=4380
add action=dst-nat chain=dstnat protocol=tcp src-port=4380 \
to-addresses=192.168.0.15 to-ports=4380
add action=dst-nat chain=dstnat comment=TEST dst-port=3389 log=yes \
protocol=tcp to-addresses=192.168.0.228 to-ports=3389

I Just testing with the last roule named "TEST" to remote desktop a local computer in the network

Thanks.

It appears you are specifying src-port instead of dst-port in the nat matching rules. The source port of the host coming in from the internet is difficult to match on because it is normally different every time a new connection is made.

Here is a good illustration of src-port vs dst-port and how they differ based on which side of the TCP conversation you are on.

It appears you are specifying src-port instead of dst-port in the nat matching rules. The source port of the host coming in from the internet is difficult to match on because it is normally different every time a new connection is made.

Here is a good illustration of src-port vs dst-port and how they differ based on which side of the TCP conversation you are on.

Hi IPANetEngineer,

Thanks for your explanation, but could you tell why this setting is not working.

Here is an screen shot of my Nat settings:



in the 8th rule: to-address=192.168.0.5 to-port=22

Try to set Out-Interface to be WAN, instead of In-Interface that was now.

You need a dst-address in that rule. It should be the ip for WAN.

Hi all,

Try add dns static that map your local server, webserver -->192.168.0.252
But, must activate router as dns server

Then access web from local client will be destin to local server ip instead of the public


Sent from my Lenovo S920 using Tapatalk

It appears you are specifying src-port instead of dst-port in the nat matching rules. The source port of the host coming in from the internet is difficult to match on because it is normally different every time a new connection is made.

Here is a good illustration of src-port vs dst-port and how they differ based on which side of the TCP conversation you are on.

Hi IPANetEngineer,

Thanks for your explanation, but could you tell why this setting is not working.

Here is an screen shot of my Nat settings:



in the 8th rule: to-address=192.168.0.5 to-port=22

Hi

this is the rule

ip firewall nat add chain=dstnat dst-address=A.B.C.D protocol
=tcp dst-port=8000 to-addresses=192.168.0.5 port=22

Remember A.B.C.D is the public ip given to you by ur ISP

However i prefer to use netmap instead of dst-nat

It appears you are specifying src-port instead of dst-port in the nat matching rules. The source port of the host coming in from the internet is difficult to match on because it is normally different every time a new connection is made.

Here is a good illustration of src-port vs dst-port and how they differ based on which side of the TCP conversation you are on.

Hi IPANetEngineer,

Thanks for your explanation, but could you tell why this setting is not working.

Here is an screen shot of my Nat settings:



in the 8th rule: to-address=192.168.0.5 to-port=22

Hi

this is the rule

ip firewall nat add chain=dstnat dst-address=A.B.C.D protocol
=tcp dst-port=8000 to-addresses=192.168.0.5 port=22

Remember A.B.C.D is the public ip given to you by ur ISP

However i prefer to use netmap instead of dst-nat

Hi Zizodabby,

I had already test that, but doesn't work too. but I will test again when go home (erasing all the rules and creating a new one)

Are there something more that have to be configured to able that, I dont know, maybe the connection is nos being allowed in another menu.

Just to know: I have a public DHCP provided from my ISP, are there any way to have this rule set to a port or some alias to the WAN address, because if the public IPs change, I will have to change the rule.

Thanks.

Hi IPANetEngineer,

Thanks for your explanation, but could you tell why this setting is not working.

Here is an screen shot of my Nat settings:



in the 8th rule: to-address=192.168.0.5 to-port=22[/quote]


Hi

this is the rule

ip firewall nat add chain=dstnat dst-address=A.B.C.D protocol
=tcp dst-port=8000 to-addresses=192.168.0.5 port=22

Remember A.B.C.D is the public ip given to you by ur ISP

However i prefer to use netmap instead of dst-nat[/quote]


Hi Zizodabby,

I had already test that, but doesn't work too. but I will test again when go home (erasing all the rules and creating a new one)

Are there something more that have to be configured to able that, I dont know, maybe the connection is nos being allowed in another menu.

Just to know: I have a public DHCP provided from my ISP, are there any way to have this rule set to a port or some alias to the WAN address, because if the public IPs change, I will have to change the rule.

Thanks.[/quote]

Hi

I use Net-map personally

Below is the rule

NB:
Ensure your wan ip is a live/public IP (contact your ISP) also use whatismyip.com to check if it same as what you have as NAT

add action=netmap chain=dstnat dst-address=PUBLIC-IP-FROM-ISP dst-port=8081 protocol=tcp to-addresses=192.168.0.5 to-ports=8081

If this doesn't work then im sure its ur Public IP

You need to enable the to port in filter forward chain. Dst nat rule changes packet header but does not allowing the packet to pass the firewall.

Hi IPANetEngineer,

Thanks for your explanation, but could you tell why this setting is not working.

Here is an screen shot of my Nat settings:



in the 8th rule: to-address=192.168.0.5 to-port=22

Hi

this is the rule

ip firewall nat add chain=dstnat dst-address=A.B.C.D protocol
=tcp dst-port=8000 to-addresses=192.168.0.5 port=22

Remember A.B.C.D is the public ip given to you by ur ISP

However i prefer to use netmap instead of dst-nat[/quote]


Hi Zizodabby,

I had already test that, but doesn't work too. but I will test again when go home (erasing all the rules and creating a new one)

Are there something more that have to be configured to able that, I dont know, maybe the connection is nos being allowed in another menu.

Just to know: I have a public DHCP provided from my ISP, are there any way to have this rule set to a port or some alias to the WAN address, because if the public IPs change, I will have to change the rule.

Thanks.[/quote]

Hi

I use Net-map personally

Below is the rule

NB:
Ensure your wan ip is a live/public IP (contact your ISP) also use whatismyip.com to check if it same as what you have as NAT

add action=netmap chain=dstnat dst-address=PUBLIC-IP-FROM-ISP dst-port=8081 protocol=tcp to-addresses=192.168.0.5 to-ports=8081

If this doesn't work then im sure its ur Public IP[/quote]


Hi,

I apologize about the post. the Connection was working, but all the test I made was from my internal network. Some friend could access from outside to mi internal ssh server, and I made the same test (using my Works VPN), and it is working right now.

Only have to test if the streaming of my XBONE to my work, and its all done.

Thanks to everyone.

Good to hear

Dont forget to give karma

Glad you figured it out

dst-nat can get tricky sometimes

Try, Add one NAT rule
chain=src-nat action=masquerade dst-address=the local ip

THIS FIXED MY ISSUE, THANKS

You need to enable the to port in filter forward chain. Dst nat rule changes packet header but does not allowing the packet to pass the firewall.

To clarify, does this mean that dstnat happens before the firewall rules apply? Do all the NATs apply before the f/w?

You can check packet flow in ROS. For those even less literate than myself: SRC-NAT gets done in post-routing phase (hence out-interface is already known) and DST-NAT gets done in pre-routing. Firewall is between pre-routing and post-routing.

Thank you, mkx,
That is exactly the clarification I sought.