> Well, James, you are missing quite a lot here. First of all, default > policy is > set to ACCEPT, so everything goes through as if there were no firewall > rules at > all. Secondly, the examples people sent you implied you already had > some other > firewall rules needed for them to work (most of them don't work on their own). > > I'll attach sample /etc/sysconfig/iptables file with some comments you can use > to play with. It something I just typed for you, so might contain a type or > two. It's good starting point for building your own firewall rules. > > The configuration style is total overkill for your simple problem, however if > your configuration becomes complex with hundreds or thousands of rules, it'll > pay off to do it this way from the beggining. > > You might want to deinstall system-config-securitylevel and > system-config-securitylevel-tui since they will blindly rewrite this > file. You > might also want to remove any other GUI tool for managing firewall > rules, since > it will either overwrite this file, or it will use its own scripts to replace > the rules with whatever that GUI tool thinks configuration should look > like. Also, if you use "/etc/init.d/iptables save" (as some folks > suggested), it will > also overwrite this file with whatever are currently loaded rules > (you'll loose > all those nice comments I put in for you, and nice looking ordering of them > too). To load the file, you might do "/etc/init.d/iptables start". Once the > rules are up and running, and you change something in the file, don't use > iptables script to reload new version. Use "iptables-restore > /etc/sysconfig/iptables". Or your current sessions might hung ;-) > > OK, there's the file in attachment. > Aleksandar, Wow, this is excellent. I read through it all and commented out the 8000 stuff for the moment. I totally agree with doing it right from the start. That being said it loaded fine. I can still ssh and hit http. The only problem is that the VNC forward stuff still doesn't work. Here's what it looks like applied. #iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state ESTABLISHED ACCEPT icmp -- anywhere anywhere state RELATED SSH_INP tcp -- anywhere anywhere tcp spts:1024:65535 dpt:ssh flags:SYN,RST,ACK/SYN state NEW HTTP_INP tcp -- anywhere anywhere tcp spts:1024:65535 dpt:http flags:SYN,RST,ACK/SYN state NEW LOG_INP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state ESTABLISHED ACCEPT icmp -- anywhere anywhere state RELATED VNC_FWD tcp -- anywhere anywhere tcp spts:1024:65535 dpt:5900 flags:SYN,RST,ACK/SYN state NEW LOG_FWD all -- anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state ESTABLISHED ACCEPT icmp -- anywhere anywhere state RELATED LOG_OUT all -- anywhere anywhere Chain HTTP_INP (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere RETURN all -- anywhere anywhere Chain LOG_FWD (1 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning prefix `FORWARD ' RETURN all -- anywhere anywhere Chain LOG_INP (1 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning prefix `INPUT ' RETURN all -- anywhere anywhere Chain LOG_OUT (1 references) target prot opt source destination LOG all -- anywhere anywhere LOG level warning prefix `OUTPUT ' RETURN all -- anywhere anywhere Chain SSH_INP (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere RETURN all -- anywhere anywhere Chain VNC_FWD (1 references) target prot opt source destination ACCEPT all -- 192.168.192.24 10.10.60.4 RETURN all -- anywhere anywhere If I do an nmap scan all it returns is port 22 and port 80. Since it's port forwarded, should port 5900 show up as well? I'm doing the scan from 192.168.192.24. I don't really understand the logging part. Is there a way I can turn on some logging to see the VNC requests coming in and see what it's doing with them? Thanks for everything! James