Apparently, I've been running without any iptables firewall rules on my linux machine for a day or two. D'oh! I think I zeroed out my rules-save file when I was setting up NAT for the user-mode linux test.
Took me forever to write the new rules. NAT in Linux is so confusing. OpenBSD's pf is like a billion times easier. The answer seemed to be to SNAT from the internal network to the external network, and then DNAT individual ports back into the internal network that I want access to from the outside.
That was a 1.5 hour diversion from working on the Quadtree. Gaaah.