Brad Smith wrote:

>The packets hit PREROUTING and FORWARD, but not INPUT or OUTPUT, as expected.
>All chains on the gateway ACCEPT by default
>The firewall on the client and vnc server is down 
With iptables forwarded packets would not hit the INPUT or OUTPUT 
chains.  That was only true of ipchains.

Given Kenneth's observation about interfaces I would double-check the 
address in the nat rule, and I would verify that the interface 
connecting to the vnc server is correctly addressed and masked to 
include that address.  My guess is that one of those is wrong and the gw 
is trying to deliver the nat'd packets via its default gateway.


