LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-14-2009, 12:58 PM   #1
Sanford Stein
Member
 
Registered: Jun 2008
Location: Evanston, Illinois
Distribution: RHEL 6.4
Posts: 126

Rep: Reputation: 17
Want to block access to VNC port


After spending a lot of time getting a VNC viewer to display my RHEL 5.3system console on a remote Windows PC, I am now being asked to block access to the service for everybody except the LAN (10.10.10.x).

My strategy was to start by blocking the port (5804) for everybody and then putting in a rule to allow access from the LAN.

I issued the following commands, which given my limited expertise with iptables I believed would totally close the port to the entire world:

iptables -A INPUT -p tcp --dport 5804 -s 0.0.0.0/24 -d 0.0.0.0/24 -j REJECT
iptables -A OUTPUT -p tcp --dport 5804 -s 0.0.0.0/24 -d 0.0.0.0/24 -j REJECT
iptables -A INPUT -p tcp --sport 5804 -s 0.0.0.0/24 -d 0.0.0.0/24 -j REJECT
iptables -A OUTPUT -p tcp --sport 5804 -s 0.0.0.0/24 -d 0.0.0.0/24 -j REJECT

But I can still access VNC from anywhere. What am I doing wrong?

(Here is the background of how I set up VNC, in case whoever is looking at this feels it is relevant


I started the VNC service by issuing the command:

# vncserver -geometry 1024x768 -depth 16 :4

:1 :2 and :3 failed, don't ask me why.
Also could not start the service using /etc/rc.d/init.d/vncserver or
/root/.vnc/xstartup. Again, don't know why. Only the above command works.

So now I can access the console either via Real VNC at server:4 or
via a browser at http://server:5804.

I don't know if this matters, but when I run 'nmap localhost' on the vnc server I do not see port 5804 but do see X11 port 6004.

Thanks,
Sanford Stein
 
Old 05-14-2009, 02:47 PM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
Dude, can I urge you NOT to use vnc? it's horrible. 58xx is *only* for serving the java client applet. This is NOT the vnc connection, that will be on 59xx instead, so *IF* your iptable rules were working, they'd be useless against anyone with their own vnc client already.

For your iptables rule itself, you're filtering a *SOURCE* port in input, which is wrong, you've no idea what the source port is, only the destination. and 0.0.0.0/24 only covers IP's 0.0.0.0 to 0.0.0.255

So, instead, *PLEASE* use nx instead. From nomachine.com. Deep down inside there is some vnc code, but it's secure, runs inside an ssh connection and is just alround nice. if you see mention of nx and freenx, the freenx server just allows unlimited connections (it used to be the only free server, but now nomachine.com provide an "admin use" level server for free too, which is real nice, so there's no need for you to use freenx at all, which makes things even easier). So please please don't use VNC. it is evil.
 
Old 05-14-2009, 07:31 PM   #3
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 14,838

Rep: Reputation: 1822Reputation: 1822Reputation: 1822Reputation: 1822Reputation: 1822Reputation: 1822Reputation: 1822Reputation: 1822Reputation: 1822Reputation: 1822Reputation: 1822

Don't hold back, say what you really think of VNC ...
 
Old 05-15-2009, 10:27 AM   #4
Sanford Stein
Member
 
Registered: Jun 2008
Location: Evanston, Illinois
Distribution: RHEL 6.4
Posts: 126

Original Poster
Rep: Reputation: 17
Chris,

Thanks for your suggestion and I will check out nx, but my management has assigned me to implement VNC, so that's what I'm stuck with in the short term.

If I'm hearing you correctly about iptables, you are saying:
1. My only concern is the destination port
2. I am using IP addresses incorrectly.
3. I need to be concerned about ports in the 5900-5999 range.

So what if I tried this:

iptables -A INPUT -p tcp --dport 5800:5999 -j REJECT
iptables -A OUTPUT -p tcp --dport 5800:5999 -j REJECT

This should reject ANY source IP, correct?

Thanks,
SS
 
Old 05-15-2009, 10:46 AM   #5
pentode
Member
 
Registered: Dec 2005
Location: Oregon
Distribution: Debian Testing
Posts: 488

Rep: Reputation: 38
Can't you just use the /etc/hosts.allow and host.deny files to do this?
 
Old 05-15-2009, 02:15 PM   #6
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974Reputation: 1974
iot would depend if vncserver is built against libwrap or not, I'd not be too sure.

as for the iptables like, the INPUT one should work, the OUTPUT one is wrong but also unncessary anyway. It totally depends how it fits in with any other existing iptables rules though.

5800 to 5999 will cover displays 0 to 99, but if, for example a service on screen 201 was started you'd once again have full access to it, as it would run on ports 6001 and 6101. What kind of a crappy model is that???? VNC. Boooo.
 
Old 05-15-2009, 05:37 PM   #7
Sanford Stein
Member
 
Registered: Jun 2008
Location: Evanston, Illinois
Distribution: RHEL 6.4
Posts: 126

Original Poster
Rep: Reputation: 17
Thanks to everyone for their responses.

Pentode, how would I use /etc/hosts.allow and /etc/hosts.deny to make this happen?
Right now both of those files are blank on my system. Do listings in these files take precedence over iptables rules?

Chris, I did try the iptables rules:

iptables -A INPUT -p tcp --dport 5800:5999 -j REJECT

but I was still able to access vnc from my desktop.
 
Old 05-15-2009, 10:20 PM   #8
landysaccount
Member
 
Registered: Sep 2008
Location: Dominican Republic
Distribution: Debian
Posts: 188

Rep: Reputation: 18
Quote:
Originally Posted by Sanford Stein View Post
Thanks to everyone for their responses.

iptables -A INPUT -p tcp --dport 5800:5999 -j REJECT

but I was still able to access vnc from my desktop.
I guess you allow loopback traffic. That's why you're accessing it from your desktop.


Why don't you just drop everything by default and just open ports as you need?

iptables -P INPUT DROP
 
Old 05-18-2009, 11:34 AM   #9
Sanford Stein
Member
 
Registered: Jun 2008
Location: Evanston, Illinois
Distribution: RHEL 6.4
Posts: 126

Original Poster
Rep: Reputation: 17
landysaccount,

Thank you for your response. I tried to comment out the rules which allow loopback, and then explicitly rejected loopback, but in both cases I was still able to access VNC from my desktop.

My firewall approach IS to start with iptables -P INPUT DROP and then open specific ports. My understanding is that the high number ports are open by default and need to be specifically closed? Even so, my rule 'iptables -A INPUT -p tcp --dport 5800:5999 -j REJECT' does not have the effect of closing the ports.

(FYI, my rule to allow loopback is iptables -A INPUT -i 127.0.0.1 -j ACCEPT)

Any other ideas?

Thanks,
SS
 
Old 05-19-2009, 07:45 AM   #10
landysaccount
Member
 
Registered: Sep 2008
Location: Dominican Republic
Distribution: Debian
Posts: 188

Rep: Reputation: 18
Quote:
Originally Posted by Sanford Stein View Post
landysaccount,

Thank you for your response. I tried to comment out the rules which allow loopback, and then explicitly rejected loopback, but in both cases I was still able to access VNC from my desktop.

My firewall approach IS to start with iptables -P IUT DROP and then open specific ports. My understanding is that the high number ports are open by default and need to be specifically closed? Even so, my rule 'iptables -A INPUT -p tcp --dport 5800:5999 -j REJECT' does not have the effect of closing the ports.

(FYI, my rule to allow loopback is iptables -A INPUT -i 127.0.0.1 -j ACCEPT)

Any other ideas?

Thanks,
SS
If you explicitly DROP all packets at the beginning of the script everything will be dropped by default. Make sure to especify the incoming interface.

iptables -A INPUT -i iface -p tcp .....

maybe....
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to Block Port 636??? ajeetraina Linux - Server 4 01-28-2008 06:47 PM
port block of blaster alvi2 Linux - Networking 3 08-31-2005 06:07 PM
How to block a port, such as 21? iclinux Linux - Newbie 3 01-16-2005 01:51 PM
Getting through a port block basketkase999 Linux - Networking 3 12-16-2004 03:58 PM
Level & Checks block Services (Telnet, VNC...) kt8993 Mandriva 2 10-03-2004 10:35 PM


All times are GMT -5. The time now is 05:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration