We're seeking help please with finding examples or tutorials on the
following, which must be quite common: we wish to accept connections from
external specific IP address ranges to a certain port on an internal
machine.

What syntax is required to allow a machine w.x.0.0/16 to connect to our
external iptables eth1 = a.b.c.126:8317 (e.g. "security by obscurity") and
be forwarded to 10.0.0.9:443 where other AUTH security checks exist, please?

The iptables firewall currently drops all but RELATED, ESTABLISHED on
external eth1 and logs all unsolicited packets (we have that under control,
thanks):

# Generated by iptables-save v1.3.5 on Sun Mar 2 18:01:01 2008
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [eth1:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state -i eth1 --state NEW -j LOG --log-level 7 --log-prefix
UNSOLICITED:
COMMIT
*mangle
:PREROUTING ACCEPT [1471:303908]
:INPUT ACCEPT [636:240607]
:FORWARD ACCEPT [832:63181]
:OUTPUT ACCEPT [437:39285]
:POSTROUTING ACCEPT [1269:102466]
COMMIT
*nat
:PREROUTING ACCEPT [203:14045]
:POSTROUTING ACCEPT [192:12653]
:OUTPUT ACCEPT [20:1217]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT