Want to block access to VNC port
 

After spending a lot of time getting a VNC viewer to display my RHEL 5.3system console on a remote Windows PC, I am now being asked to block access to the service for everybody except the LAN (10.10.10.x).

My strategy was to start by blocking the port (5804) for everybody and then putting in a rule to allow access from the LAN.

I issued the following commands, which given my limited expertise with iptables I believed would totally close the port to the entire world:

iptables -A INPUT -p tcp --dport 5804 -s 0.0.0.0/24 -d 0.0.0.0/24 -j REJECT
iptables -A OUTPUT -p tcp --dport 5804 -s 0.0.0.0/24 -d 0.0.0.0/24 -j REJECT
iptables -A INPUT -p tcp --sport 5804 -s 0.0.0.0/24 -d 0.0.0.0/24 -j REJECT
iptables -A OUTPUT -p tcp --sport 5804 -s 0.0.0.0/24 -d 0.0.0.0/24 -j REJECT

But I can still access VNC from anywhere. What am I doing wrong?

(Here is the background of how I set up VNC, in case whoever is looking at this feels it is relevant:)


I started the VNC service by issuing the command:

# vncserver -geometry 1024x768 -depth 16 :4

:1 :2 and :3 failed, don't ask me why.
Also could not start the service using /etc/rc.d/init.d/vncserver or
/root/.vnc/xstartup. Again, don't know why. Only the above command works.

So now I can access the console either via Real VNC at server:4 or
via a browser at http://server:5804.

I don't know if this matters, but when I run 'nmap localhost' on the vnc server I do not see port 5804 but do see X11 port 6004.

Thanks,
Sanford Stein

Dude, can I urge you NOT to use vnc? it's horrible. 58xx is *only* for serving the java client applet. This is NOT the vnc connection, that will be on 59xx instead, so *IF* your iptable rules were working, they'd be useless against anyone with their own vnc client already.

For your iptables rule itself, you're filtering a *SOURCE* port in input, which is wrong, you've no idea what the source port is, only the destination. and 0.0.0.0/24 only covers IP's 0.0.0.0 to 0.0.0.255

So, instead, *PLEASE* use nx instead. From nomachine.com. Deep down inside there is some vnc code, but it's secure, runs inside an ssh connection and is just alround nice. if you see mention of nx and freenx, the freenx server just allows unlimited connections (it used to be the only free server, but now nomachine.com provide an "admin use" level server for free too, which is real nice, so there's no need for you to use freenx at all, which makes things even easier). So please please don't use VNC. it is evil.

:)
Don't hold back, say what you really think of VNC ... :)

Chris,

Thanks for your suggestion and I will check out nx, but my management has assigned me to implement VNC, so that's what I'm stuck with in the short term.

If I'm hearing you correctly about iptables, you are saying:
1. My only concern is the destination port
2. I am using IP addresses incorrectly.
3. I need to be concerned about ports in the 5900-5999 range.

So what if I tried this:

iptables -A INPUT -p tcp --dport 5800:5999 -j REJECT
iptables -A OUTPUT -p tcp --dport 5800:5999 -j REJECT

This should reject ANY source IP, correct?

Thanks,
SS

Can't you just use the /etc/hosts.allow and host.deny files to do this?

iot would depend if vncserver is built against libwrap or not, I'd not be too sure.

as for the iptables like, the INPUT one should work, the OUTPUT one is wrong but also unncessary anyway. It totally depends how it fits in with any other existing iptables rules though.

5800 to 5999 will cover displays 0 to 99, but if, for example a service on screen 201 was started you'd once again have full access to it, as it would run on ports 6001 and 6101. What kind of a crappy model is that???? VNC. Boooo.

Thanks to everyone for their responses.

Pentode, how would I use /etc/hosts.allow and /etc/hosts.deny to make this happen?
Right now both of those files are blank on my system. Do listings in these files take precedence over iptables rules?

Chris, I did try the iptables rules:

iptables -A INPUT -p tcp --dport 5800:5999 -j REJECT

but I was still able to access vnc from my desktop.

I guess you allow loopback traffic. That's why you're accessing it from your desktop.


Why don't you just drop everything by default and just open ports as you need?

iptables -P INPUT DROP

landysaccount,

Thank you for your response. I tried to comment out the rules which allow loopback, and then explicitly rejected loopback, but in both cases I was still able to access VNC from my desktop.

My firewall approach IS to start with iptables -P INPUT DROP and then open specific ports. My understanding is that the high number ports are open by default and need to be specifically closed? Even so, my rule 'iptables -A INPUT -p tcp --dport 5800:5999 -j REJECT' does not have the effect of closing the ports.

(FYI, my rule to allow loopback is iptables -A INPUT -i 127.0.0.1 -j ACCEPT)

Any other ideas?

Thanks,
SS

If you explicitly DROP all packets at the beginning of the script everything will be dropped by default. Make sure to especify the incoming interface.

iptables -A INPUT -i iface -p tcp .....

maybe....