Other than connection tracking, if you are using stateful, there are not any special modules needed. I will also add, allowing VNC to penetrate the firewall is not the best of ideas, but very possible to do it securely if you are smart and crafty about it. Here are a couple of thoughts which should help you. First, confirm what port your VNC server is Listening on. The VNC port range is: VNC_PORTS="5900:5910". So, take a look at this. Having said that, it will also take a minimum of two rules to penetrate the firewall. 1) DNAT correct listening port through to the correct server as you have done with: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 59xx -s 192.168.0.2 -j DNAT --to 192.168.0.25:59xx That's only half of it. You must then accept the packet once it is has been DNATTED, such as: $IPT -t filter -A FORWARD -i $FW_INET_IFACE -p tcp --destination-port $VNC_PORTS -m state --state NEW -j LOG --log-prefix "ACCEPT INBOUND VNC: " $IPT -t filter -A FORWARD -i $FW_INET_IFACE -p tcp --destination-port $VNC_PORTS -m state --state NEW -j ACCEPT $IPT -t filter -A FORWARD -o $FW_INET_IFACE -p tcp --destination-port $VNC_PORTS -m state --state NEW -j LOG --log-prefix "ACCEPT OUTBOUND VNC: " $IPT -t filter -A FORWARD -o $FW_INET_IFACE -p tcp --destination-port $VNC_PORTS -m state --state NEW -j ACCEPT Additionally, if you are using connection tracking, you must ACCEPT as ESTABLISHED and RELATED as well. Hope this helps. -----Original Message----- From: netfilter-admin@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx]On Behalf Of Joel Pearson Sent: Saturday, September 20, 2003 6:57 AM To: netfilter@xxxxxxxxxxxxxxxxxxx Subject: Access VNC Server via DNAT Hey, I have a vnc server that is on my local lan at home that I'd like to be able to access from the internet via my internet gateway linux box. I've read a little bit about it but I can't get my gateway to forward to ports, I've tried this: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5904 -s 192.168.0.2 -j DNAT --to 192.168.0.25:5904 But it says it can't connect to the server. At the moment I'm just trying to get the port forwarding to work on my local lan, but it doesn't seem to be working. I've read of people haveing this working using a somewhat similar iptables command, is there some module I'm supposed to load to make this happen? My server is running RedHat 8 with iptables v1.2.6a Does anyone know why this isn't working? Thanks Joel
