Quoting James Pifer <jep at obrien-pifer.com>: > That being said it loaded fine. I can still ssh and hit http. The only > problem is that the VNC forward stuff still doesn't work. Here's what it > looks like applied. > > #iptables -L Actually, to debug things, you would need output of "iptables -nvxL" and "iptables -t nat -nvxL". The former would list rules in filter table, and later would list rules in nat table. Both with counters, so you can see how many packets (if any) were matched by those rules. They would also show you how many packets in each chain were matched by default policy for that chain (wich is DROP for INPUT, OUPUT and FORWARD chains of filter table). The "-L" option accepts optional argument, so you can also do things like "iptables -nvxL FORWARD" or "iptables -nvxL VNC_FWD" to list only particular chain and its counters. > If I do an nmap scan all it returns is port 22 and port 80. Since it's > port forwarded, should port 5900 show up as well? I'm doing the scan > from 192.168.192.24. You might find tcpdump to be a better friend in debugging firewall rules then nmap. Run it on the firewall machine. It will show you what is going on the ethernet wire. Try running it in two terminals in parallel, in one terminal you would run something like "tcpdump -i eth0 host xxx and port 5900". In the other window you would run "tcpdump -i eth1 host xxx and port 5900", where xxx is the address of the source host. The "host xxx and port 5900" is to filter out the clutter, change it as needed. If you see packets on eth0 but not on eth1, then your firewall is "eating" them. You shuold also see change in destination address by comparing the output in those two terminal windows. > I don't really understand the logging part. Is there a way I can turn on > some logging to see the VNC requests coming in and see what it's doing > with them? The rules, as I sent them to you, will log all dropped packets to /var/log/messages. You'll see relatively long line saying it was logged by the kernel, then from what chain (INPUT, OUTPUT or FORWARD), and than a (long) summary of the dropped packet (type of packet, source, destination, ports (if applicable), flags, and so on). If your firewall is dropping anything, you should see it in the logs. If you want to see incomming VNC requests in log files, try putting this as first rule in VNC_FWD chain: -A -j LOG_FWD Note that this will log only the SYN packet (the first packet initiaing the connection), so you don't have to worry about your logs getting too large. This is becasue you are jumping into VNC_FWD chain only when you see SYN packet (the --syn option that expands to flags:SYN,RST,ACK/SYN in iptables -L output). ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.