I am trying to get my router to do IP forwarding

[retrogamer]

Here's my firewall startup script:

# # by default, nothing is forwarded.
iptables -P FORWARD DROP

# # Allow all connections OUT and only related ones IN
iptables -A FORWARD -i $EXTERNAL -o $INTERNAL -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTERNAL -o $EXTERNAL -j ACCEPT
# # Make sure SSH doesn't get dropped
iptables -A FORWARD -i $EXTERNAL -o $INTERNAL -p tcp --dport $SSH_PORT -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i $EXTERNAL --dport $SSH_PORT -j DNAT --to $PORTFWDIP:$SSH_PORT

# # enable MASQUERADING
iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE

where EXTERNAL is my the NIC that's on the internet, INTERNAL is the NIC that's on the LAN, SSH_PORT is 22, and PORTFWDIP is the computer I want it to forward all stuff on port 22 to. It doesn't give me any errors when I run the script, but when I try to ssh in (using the IP address of the internet visible NIC rather than the private NIC, which works) then it tries to ssh into the router itself. If I kill ssh on the router then here's the error message I get:
ssh: connect to host (my IP address here) port 22: Connection refused

which doesn't make sense, since my rules should allow in all stuff on port 22 and send it to the computer at PORTFWDIP, right?

[retrogamer]

I meant port forwarding.