I did it a bit differently as I wanted to 'secure' the ssh server a bit from hosts in China.
Anyway... I went to Virtual Server
Public Port: 2222
IP Addy: LAN IP of Server
Private Port: 22
Inbound Filter: HOSTS
So what this did is only the hosts in HOSTS will be allowed to SSH to the server. And they have to ssh to port 2222 from the outside. The router will accept on 2222, and forward to 22 on the lan.
If you don't need the HOSTS inbound filter, you can leave as Allow All. But then you will see LOTS of attempts from China and other places.
Although you can set up tcp wrappers on ubuntu, but that is for another thread.