You need a NAT rule (to direct the traffic) and a regular firewall rule (to permit it).
The former will look something like
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4444 -j DNAT --to-destination 192.168.122.50:22
The latter will look something like
iptables -A FORWARD -i eth0 -p tcp --dport 4444 -j ACCEPT
It's up to you to make sure those come at the right point in your existing PREROUTING
and FORWARD
chains, and in addition you may need a second firewall rule to permit the back-half of those connections out, if you don't already have a general ACCEPT
for ESTABLISHED
packets.
Edit: the order of your rules is extremely important. The right rule in the wrong place will do no good. Could you replace the grep output above with the result of iptables -L -n -v
and iptables -t nat -L -n -v
? And if you want port 4444 to be forwarded, don't run a local sshd also bound to that port.
Edit 2: and there's your problem. The ACCEPT you've added in the FORWARD chain is line 7, but line 4 has already explicitly denied all not-previously-permitted traffic from everywhere (*
) to virbr0
. You need to make arrangments for the line you've added to come before line 4, perhaps by adding the rule with
iptables -I FORWARD 4 -i eth0 -p tcp --dport 4444 -j ACCEPT
which will insert it at line 4, displacing the current line 4 to be line 5 (and so on).
Regarding the current sshd, I mean what I said: that you shouldn't have a daemon bound to port 4444 if you're trying to forward that port. I don't care what other ports it's bound to, only that 4444 is a bad idea.
Edit 3: the machine you're testing this from, this is completely outside the serv05 system, yes? And (after a very trying day putting Fedora 16 on several boxes) I fear you may be right, could you put a comparable ACCEPT
rule for 4444 in the INPUT chain as well, being careful to get it before any REJECTs?
first verify your vnc servers is actually running :
ps -ef | grep -i vnc
then make sure it is listening
netstat -nlptu
if that does not work, look for errors in your log, and also try disabling selinue
setenforce 0
also posting your vnc config would help.
Best Answer
Unless you have some sort of out of band console access to the VPS then you'll have to contact your provider and get them to fix it for you.
What you should have done (you don't mention it) is change the Port directive in /etc/ssh/sshd_config as well as the port to allow in iptables.
You should have changed the port as above and restarted sshd (it doesn't drop your current connection) then added a line to the iptables configuration to allow the new port and restart iptables. Test the new connection works then remove the old connection details with the new connection and restart the services.