Port forwarding a.k.a. port mapping or, in Docker's parlance, port publishing is a form of Network Address Translation (NAT) that redirects packets from one address to another. As is often the case, there are multiple ways to accomplish it, so the fact that you're not allowed to launch any additional listening processes doesn't mean you're out of options.

The clue is hidden in the challenge's tags. 😉

One of the iptables tables is called nat (Network Address Translation). Port forwarding is a form of NAT, so now you know which table to use.

Unfortunately, the most obvious iptables -t nat -A PREROUTING -p tcp --dport 6000 -j REDIRECT --to-port 5000 rule won't work. With the REDIRECT target, you're only allowed to change the destination port. It would be sufficient if the service was listening on 0.0.0.0:5000, but in this challenge, it's bound to a specific IP address.

Since it's the destination address that needs to be changed, the target you're looking for is DNAT (Destination NAT).

Are you trying to list all host's interfaces using several iptables rules with different -d flags? It's not what the challenge asks for 😉

To solve the challenge, you need to add a generic redirect rule for 0.0.0.0:6000. The solution checker periodically adds a temporary interface with a random IP address and then tries to reach the service on the port 6000 of this new address. Luckily, the solution might be simpler than you think - try removing the -d flag from your rules, did it help?

First checks pass, but the last one fails (or vice versa)? There is a subtle difference between the traffic that originates from the host itself and the one that comes from the outside. Local and external traffic follow different paths in the network stack. You'll need to use the OUTPUT chain for the former and PREROUTING for the latter.