Добрый день.

Помогите пожалуйста.

Сеть с такой схемой
WAN ---> Asus RT-N16 (94.199.108.106)-Внешний статический; (192.168.1.10) внутренний ---> HUB ASUS GX 1008B ---> Ubuntu 12.04 LTS Server (192.168.1.222)

задача из WAN попасть напрямую к Убунту. ну например для ssh

NAT Settings выглядит так
Name: nat.jpg Views: 1337 Size: 121.0 KB


Вот так из WAN по адресу (94.199.108.106) не хочет подключаться,а из LAN подключается

Открыл доступ для ssh к самому роутеру
Подключается спокойно.

Firewall setting
Name: firewall.jpg Views: 1130 Size: 128.5 KB

Вывод ipsettings-save
Code:
# Generated by iptables-save v1.4.3.2 on Thu Jun 21 09:20:02 2012
*nat
:PREROUTING ACCEPT [920:55581]
:POSTROUTING ACCEPT [91:12347]
:OUTPUT ACCEPT [91:13685]
:UPNP - [0:0]
:VSERVER - [0:0]
-A PREROUTING -d 94.199.108.106/32 -j VSERVER 
-A PREROUTING -d 94.199.108.106/32 -p udp -m udp --sport 6112 -j NETMAP --to 192.168.1.0/24
-A POSTROUTING -s 192.168.1.0/24 -p udp -m udp --dport 6112 -j NETMAP --to 94.199.108.106/32
-A POSTROUTING ! -s 94.199.108.106/32 -o vlan2 -j MASQUERADE 
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MASQUERADE 
-A UPNP -p udp -m udp --dport 21867 -j DNAT --to-destination 192.168.1.194:21867 
-A UPNP -p tcp -m tcp --dport 21867 -j DNAT --to-destination 192.168.1.194:21867 
-A VSERVER -p tcp -m tcp --dport 8182 -j DNAT --to-destination 192.168.1.10:80 
-A VSERVER -j UPNP 
-A VSERVER -p tcp -m tcp --dport 22222 -j DNAT --to-destination 192.168.1.222:22 
COMMIT
# Completed on Thu Jun 21 09:20:02 2012
# Generated by iptables-save v1.4.3.2 on Thu Jun 21 09:20:02 2012
*mangle
:PREROUTING ACCEPT [2843:348715]
:INPUT ACCEPT [1986:300151]
:FORWARD ACCEPT [700:36482]
:OUTPUT ACCEPT [1994:1265747]
:POSTROUTING ACCEPT [2664:1301320]
COMMIT
# Completed on Thu Jun 21 09:20:02 2012
# Generated by iptables-save v1.4.3.2 on Thu Jun 21 09:20:02 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [658:34530]
:OUTPUT ACCEPT [1900:1249353]
:BRUTE - [0:0]
:MACS - [0:0]
:SECURITY - [0:0]
:UPNP - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP 
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -m conntrack --ctstate NEW -j ACCEPT 
-A INPUT -i br0 -m conntrack --ctstate NEW -j ACCEPT 
-A INPUT -i vlan2 -m conntrack --ctstate NEW -j SECURITY 
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT 
-A INPUT -d 192.168.1.10/32 -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -p udp -m udp --dport 33434:33534 -j ACCEPT 
-A INPUT -j DROP 
-A FORWARD -i br0 -o br0 -j ACCEPT 
-A FORWARD -m conntrack --ctstate INVALID -j DROP 
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD ! -i br0 -o vlan2 -j DROP 
-A FORWARD ! -i br0 -m conntrack --ctstate NEW -j SECURITY 
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT 
-A FORWARD -o br0 -j DROP 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN 
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN 
-A SECURITY -p udp -m limit --limit 5/sec -j RETURN 
-A SECURITY -p icmp -m limit --limit 5/sec -j RETURN 
-A SECURITY -j DROP 
-A UPNP -d 192.168.1.194/32 -p udp -m udp --dport 21867 -j ACCEPT 
-A UPNP -d 192.168.1.194/32 -p tcp -m tcp --dport 21867 -j ACCEPT 
-A logaccept -m conntrack --ctstate NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options --log-macdecode 
-A logaccept -j ACCEPT 
-A logdrop -m conntrack --ctstate NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options --log-macdecode 
-A logdrop -j DROP 
COMMIT
# Completed on Thu Jun 21 09:20:02 2012