I have the current configuration but can't get iptables working.

Computer A
eth0 -> WAN
eth1 -> LAN -> Computer B & Computer C

Computer A (eth1), Computer B and Computer C are on 192.168.*.* IPs and B & C are running VNC servers on 5900 (Windows).

I want to forward and redirect ports 5900 from B & C to ports accessible from the WAN on Computer A?

Any suggestions on the correct iptables syntax? IPv4 port forwarding is enabled.

Will the traffic be directed to/from your WAN machine through a gateway server? If so, before you make an iptables rule, you could test network connectivity and what ports are involved by using an ssh tunnel to port-forward the traffic from the remote port 5900 to your local machine (Computer A) at some arbitrary local port through the gateway server (you will need a login to that server however).

If you can open up a putty or other ssh terminal on the destination machine you can type:

ssh -L LocalPort:RemoteHostIP:RemoteHostPort username@GatewayHost -N
Like: ssh -L 10000:192.168.12.104:5590 myuser@gateway -N

This will forward traffic from 192.168.12.104:5590 through the gateway to your local machine's port 10000. Perhaps this is not applicable for you though. I often have to deal with jumping through a gateway, hence this is useful for me.

Wait, are you just wanting to know the right sytax or did you need to know what kind of rule to add (what ports to allow traffic on and such)? If the former then my suggestion obviously will not help. Sorry if I misunderstood.

I understand I can forward VNC via SSH. I would prefer if Computer A had two ports redirect (eth0) (via iptables) to the VNC servers on the LAN (eth1) from Computers B & C.

Ah I think understand now, you need to take the traffic it receives on one ethernet interface and expose it on the other (which is on a different network?). If this was web traffic this would be a piece of cake (use a reverse proxy) but I'm afraid I've never done anything like this for non-web traffic. Hopefully someone who has done that can make a suggestion. Sorry if I wasted your time (the ssh tunnel was my best idea at the time).

P.S. I assume you've looked at the documentation online for the REDIRECT iptables directive? Maybe this is relevant: http://networking-dummies.com/redire...-with-iptables.

I basically need an example of how to do this with iptables.

I don't think the separate NICs are a problem because the routing is setup to direct 192.168.*.* traffic to eth1.

All of the commands I tried didn't work so I'm asking if anyone with experience with this can help.

Have a look at the example just before section 7.4.1.

http://www.centos.org/docs/4/html/rh...l-ipt-fwd.html

You will need two rules, one for port 5900, and another for another port such as 5901. So using 5900 connects to host B and 5901 connects to host B.

I assumed you have 1 Internet address and masquerade LAN addresses in Host A's iptable rules.