but when I scan eth2:1 or eth2:2 from an outside machine I can see ALL the local services (ssh, ptptp,dns etc..) Is connection not passing the forwading chain?
You obviously have the INPUT chain set to a policy of ACCEPT. All locally destined packets go through the INPUT chain, all forwarded packets go through the FORWARD chain. Add apropriate rules for the INPUT chain.
HTH, Martijn Lievaart
