Here is what I did to make mine work.

eth1 is external NIC
192.168.168.11 is the IP of int computer
port# doesn't have to equal each other but for what you want it should.

iptables -t nat -I PREROUTING -p tcp -i eth1 --dport (port#) -j DNAT --to 192.168.168.11port#)

also you should add
another line to make the outgoing side work. I will have to look that one up. I think you can also you this with a range of ports and will look that up as well.

Thx. I have now aded the lines

iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 5800 -j DNAT --to 192.168.0.2:5800
and
iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 5900 -j DNAT --to 192.168.0.2:5900

eth0 is my external and 192.168.0.2 is my internal ip.

But that didn't do it.
But I'm waiting for that other line.
I don't realy understand what that wolud do.
Because all outgoing singal is accepted.
But I hope it will fix this hole mess.

OK here is what I did completely. I have most everything set to drop so I have to allow things to get out.

I am assuming that your int network is on eth1 and ext is on eth0

iptables -I INPUT -p tcp -i eth1 --sport (port#s)
ie) 400:414 to make the range of ports work

Here is the line to get that port range to work:
iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 400:414 -j DNAT --to 192.168.0.2

The only other thing that I can think of is to try and and add the same line except change the tcp function to udp and therefore allow both types of protocols.

Hope that makes it work. If not let me know.

I don't get it. It dosen't work.

Now I added

iptables -I INPUT -p tcp -i eth1 --sport 5800
iptables -I INPUT -p udp -i eth1 --sport 5800

iptables -t nat -I PREROUTING -p tcp -i eth0 --dport 5800 -j DNAT --to 192.168.0.2
iptables -t nat -I PREROUTING -p udp -i eth0 --dport 5800 -j DNAT --to 192.168.0.2


Not working......

Well you will have to post more of your information for me then. Because without that I don't know what else to tell you.

If you look on side 1 of this thread.
There you will get more info.

e-mail me and I will send you my firewall/router script. It is too long to post here.

Only some questions/proposal:
- how do you connect to internet? (dialup, xdsl, cable,...)
- post here #ifconfig output while you are connected to internet (for more privacy just x.x.x.x your internet address)
- are you sure that your router connect to internet directly without any firewall and/or SNAT (masqerade) that prevent you from reciving direct connection? To verify this just temp. start a daemon as telnet or sshd on your router and try to connect from the internet.

Other tests:
- just boot Computer 1 in linux, start sshd (port 22 tcp/udp) or telnet (port 23 tcp/udp), start #tcpdump host 192.168.0.2 and port <22/23> | tee logfile.log

on router:
just to clean and open *all*:
#iptables -F
#iptables -t nat -F
#iptables -P INPUT ACCEPT
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD ACCEPT
#iptables -t nat -P PREROUTING ACCEPT
#iptables -t nat -P OUTPUT ACCEPT
#iptables -t nat -P POSTROUTING ACCEPT

to make websurfing on:
#iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
+ check websurfing here from Computer 2 to internet

start logging on server:
#tcpdump port <22/23> | tee logfile.log

to activate DNAT:
#iptables -t nat -A PREROUTING -i eth0 --dport <22/23> -j DNAT --to 192.168.0.2
+ try to connect from internet to your router internet address with ssh client (port 22) and/or telnet client (port 23)
+ check Computer 1 for tcpdump output
+ check Router for tcpdump output

Report results here

Last notes:
- this is a lot risky configuration because you are open to the world ... don't stay this way too long
- I ask you to try ssh or telnet in place of VNC because those services are simlper and there no problem with packet size and fragments. Just for the simplest use telnet.
- sorry for long whait for a reply ... just I had too work

echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -A FORWARD -o $EXTIF -s $MYIP -p udp --sport 5800 -j ACCEPT


substitue the $IPTABLES for your path to iptables (/sbin/iptables)
substitue the $EXTIF for eth0 (WAN adapter)
substitue the $MYIP for your 192.168.x.x VNC machine IP


also what does lsmod return for you?

Do you have a firewall, Zone Alarm, Black Ice, etc....runnin on the 192.168.0.2 box...turn'em off and test if so...

you might also want to try logging everything that your firewall drops and see if you can spot the messup in there somewhere.

Also, grab a sniffer (there's several out there, but for linux I used sniffit or ethereal) and run it on one of your internal machines and see if you can see the packets for vnc coming out of your router to your VNC box. This way you'll at least know if your IPTABLES is forwarding the packets and they're being lost somewhere else.

Here's the way I log stuffs for drops:

# Setup Logging for Dropped Packers
iptables -N dropwall
iptables -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropped:
iptables -A dropwall -j DROP

then after all my other iptables stuff I have

#Final Catch all Logging
iptables -A INPUT -j dropwall

With that at the end of your script any packets that you didn't specify to drop or allow but don't have anywhere else to go are dropped then logged.

You can also use this to test other packet drops in your iptables script. Say if you're dropping telnet packets:

iptables -A INPUT -i etho -p tcp --dport 23 -j dropwall
instead of:
iptables -A INPUT -i eth0 -p tcp --dport 23 -j DROP

so whenever a packet is dropped it's logged


You could also do the same thing for accepts if you wanted...