This need to happen in the nat table: iptables -t nat -A PREROUTING -p tcp -d 10.10.60.3 --dport 5900 -j DNAT --to-destination 10.10.60.4:5900 Make sure 10.10.60.4 is using 10.10.60.3 as it's router for this traffic. Kirk James Pifer wrote: > On Wed, 2005-09-28 at 11:56 -0500, Aleksandar Milivojevic wrote: > >>Quoting Rodrigo Barbosa <rodrigob at suespammers.org>: >> >> >>>Humm, that should be relatively simple: >>> >>>iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j ACCEPT >> >>You probably want to use INPUT chain of filter table for this: >> >>iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT >> >>If INPUT chain of filter table has default policy set to DROP, putting >>an ACCEPT >>target into PREROUTING chain of nat table isn't going to let the packet go >>through the firewall. > > > Alright, I figured I would try a simple proof of concept with this. > Without setting any policies to drop, meaning all the chains are wide > open (all ACCEPT) I wanted to try and do VNC through the port forward. > > So I started with this: > #iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > > > Ran this: > iptables -A FORWARD -p tcp --dport 5900 -s 192.168.192.24 -d 10.10.60.4 > -j ACCEPT > > > > Ended up with this: > iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT tcp -- anywhere anywhere tcp > dpt:http > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > ACCEPT tcp -- 192.168.192.24 10.10.60.4 tcp dpt:5900 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Now shouldn't I be able to run the VNC client from my machine > 192.168.192.24, connecting to this server (10.10.60.3) and shouldn't it > forward the VNC request to 10.10.60.4? > > Yes, communication does work between 192.168.192 and 10.10.60 subnets. > > Thanks, > James > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos