Hello all. I want to use iptables on my server to forward VNC connections based on the connecting port, such that connecting on port 5900 goes to machine 1, 5901 to machine 2, etc. Here is a brief description of my home network:
My internal network uses a typical class C private addressing scheme.

After reading up a bit, I tried changing my iptables rules to forward the ports, but I really didn't get any results. The thing I'm having trouble with is that all the instructions I found refer to the machine running iptables being the internet gateway for the network, with two ethernet interfaces. However, on my network, it is just another host with only one interface, but it is the DMZ host from the router, so it will get all the internet traffic. What I want to do is grab incoming connections on several different ports, and forward them to different IPs on port 5900, so that I don't have to change the listening ports on the individual machines, and create separate forwarding rules from the router.

For example:
In on eth0 port 5900 --> out on eth0 to Windows box 1 on port 5900
In on eth0 port 5901 --> out on eth0 to Windows box 2 on port 5900
In on eth0 port 5902 --> out on eth0 to Linux workstation 1 on port 5900

I currently have no iptables rules, because I'm not using it to protect my network at all, that's done already at the router. The only purpose iptables will serve is to forward those ports to the correct machines.

Why do you need the Linux box with iptables? The linksys router can do it for you. Just map virtual server on port 5900 to xp box 1, port 5900; 5901 to xp 2, port 5900 and finally 5902 to linux ws 1, port 5900.

As you dont have your DMZ to act as a gateway for rest of your boxes; you dont have to worry.. & the only thing you need to do is to place one more rule for postrouting as well; Thats it !

Here's your way out;

We initial think that you have 3 packets;
From internet (clients) heading towards your DMZ box;
Source/Destinationort
1. C1/DMZ:5900
2. C2/DMZ:5901
3. C3/DMZ:5902

Now please get one more thing clarified on your part; as you are only having one ethernet interface & that's also a part of your lan; (Further next in this reply i wont use DMZ for the mean of DMZ & only as a reference to that box).. i believe that all of the packets(internet traffic) which are being routed to you still has its source ip(as the real/public ip's);
Though i am little confused about the job your linksys router is doing; but i am trying to clarify you the basics.

Prior these rules : Packet state : Source/destination ip= C1/DMZ
#iptables -t nat -A PREROUTING -p tcp --dport 5900 -d DMZ -j DNAT --to-destination windows-box:5900
#iptables -t nat -A POSTROUTING -p tcp -d windows-box -j SNAT -to-source DMZ(ip)
After these rules : Packet state : Source/destination ip= DMZ/WinBOX

& further we have to write these rules in the same way for rest of the packets as well.
Though be a little cautios as only initial --dport will change for rest of the two rules but the last one will always remain @ 5900.

I also expect that at kernel level packet forwarding is ON.

My router doesn't have the option to change what port its on--I can forward ports, but not to different ports. I would have to listen on different ports on each machine, and have several different entries in my list, which is very limited to only about 10 entires.

My router functions as the internet gateway, the wireless access point (and associated bridging/routing between LAN and WLAN), DHCP server for DHCP clients, local DNS cache (my ISP isn't all that reliable), internet bandwidth throttling, and basic firewalling for the rest of the network. The server is a DMZ because it runs several things that need access from the internet, including FTP, SSH, and HTTP. Since my router is very limited in the number of forwardings I can do, I just set that machine as the DMZ. It runs Trustix Secure Linux, and I am absolutely sure no services are running that I don't want running, and I have all logins secured (block root, all users have good passwords, correctly configured sudoers file, etc.). This also isn't a mission-critical operation, so if my server does get compromised, its not a big deal. I watch my logs, and the most I get is typical dictionary bots attemtping to login with 'root', 'Administrator', and 'Administrateur'.

As for kernel level packet forwarding, I don't know if its on or not. How would I check and turn it on?

Thanks for sharing the info.

If it has "0", it's not enabled. To enable it,

Thanks for all your help! It works just the way I want it now. Kernel IP forwarding was 0, so that was probably why my first attempts didn't do anything.