On Wed, 2005-09-28 at 11:56 -0500, Aleksandar Milivojevic wrote: > Quoting Rodrigo Barbosa <rodrigob at suespammers.org>: > > > Humm, that should be relatively simple: > > > > iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j ACCEPT > > You probably want to use INPUT chain of filter table for this: > > iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT > > If INPUT chain of filter table has default policy set to DROP, putting > an ACCEPT > target into PREROUTING chain of nat table isn't going to let the packet go > through the firewall. Alright, I figured I would try a simple proof of concept with this. Without setting any policies to drop, meaning all the chains are wide open (all ACCEPT) I wanted to try and do VNC through the port forward. So I started with this: #iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Ran this: iptables -A FORWARD -p tcp --dport 5900 -s 192.168.192.24 -d 10.10.60.4 -j ACCEPT Ended up with this: iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:http Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 192.168.192.24 10.10.60.4 tcp dpt:5900 Chain OUTPUT (policy ACCEPT) target prot opt source destination Now shouldn't I be able to run the VNC client from my machine 192.168.192.24, connecting to this server (10.10.60.3) and shouldn't it forward the VNC request to 10.10.60.4? Yes, communication does work between 192.168.192 and 10.10.60 subnets. Thanks, James