Configure IPtables to Only Allow VNC over SSH

debianfan · 04-04-2010, 03:01 PM

Hi,

I am trying to figure out how I can configure IPtables to only allow VNC traffic to an internal server over SSH.

My configuration is WAN < --- > Gateway (Ubuntu 9.10 Server) < --- > Internal Server (that I want to control with VNC over SSH)

Any advice on how to do this would be most appreciated. Thanks for your help.

Sayan Acharjee · 04-05-2010, 12:25 AM

Quote:

Originally Posted by debianfan

Hi,

I am trying to figure out how I can configure IPtables to only allow VNC traffic to an internal server over SSH.

My configuration is WAN < --- > Gateway (Ubuntu 9.10 Server) < --- > Internal Server (that I want to control with VNC over SSH)

Any advice on how to do this would be most appreciated. Thanks for your help.

VNC uses 5900 port by default and ssh uses port 22, so you can allow these two ports and restrict all other ports using iptables.

Try this:

Quote:

#iptables -I INPUT -s 0.0.0.0/0.0.0.0 -d your_machine_ip/netmask -j DROP
#iptables -I INPUT -s 0.0.0.0/0.0.0.0 -d your_machine_ip/netmask -p tcp --dport 5900 -j ACCEPT
#iptables -I INPUT -s 0.0.0.0/0.0.0.0 -d your_machine_ip/netmask -p tcp --dport 22 -j ACCEPT

bakdong · 04-05-2010, 02:18 AM

You could open the ssh port to the gateway and port forward the vnc port to the internal server. Unless you want to vnc to the gateway there's no need to open that port there.

ssh -L 5900:[internal server ip]:5900 -f -N user@[external gateway ip]

An alternative would be to forward a port to the internal server and use that to ssh direct to that machine. Then use ssh to tunnel the vnc there too.

debianfan · 04-05-2010, 09:38 AM

Thanks for the quick replies. So I just want to make sure I understand the semantics first before I proceed. So essentially I could just open the SSH port, which would then contain my VNC traffic that is forwarded internally. So on the internal machine I would just need to make sure I have input to the SSH and VNC ports accepted, while only leaving the SSH port open on the gateway.

So in the command you included, it is basically saying connect over SSH using the local VNC port and connecting to the internal machine's VNC port and go through this gateway IP. Is that the gist?

Do I need to do any other configuration on the internal machine to get this up and running?

Specifically, if I am using a screen sharing application, what do I need to do once the connection is established to get the screen sharing application to use that tunnel?

Also, as to the alternative option. Would you recommend one over the other? Is there a security advantage to either?

Thanks for your help.

gumaheru · 04-05-2010, 12:26 PM

Hey debianfan, don't use vnc. Use nxserver from nomachine. Vnc sucks when there is a high latency. I setup nxserver on our servers in London so that our Oracle DBA can conduct maintenance from the US. It is fast and you don't see a slow down. You can find it at www.nomachine.com. I only found out about this after reading an article on cyberciti.biz.

debianfan · 04-05-2010, 12:41 PM

Will this work with Mac OS X server as well? One of my internal machines is a mac and I ideally would like a solution that works across the board. Thanks for pointing it out.

bakdong · 04-06-2010, 11:02 AM

Quote:

Originally Posted by debianfan

Thanks for the quick replies. So I just want to make sure I understand the semantics first before I proceed. So essentially I could just open the SSH port, which would then contain my VNC traffic that is forwarded internally. So on the internal machine I would just need to make sure I have input to the SSH and VNC ports accepted, while only leaving the SSH port open on the gateway.

Not quite. You ssh to the gateway and then forward vnc through that to the internal server. If you already have ssh access to the gateway you don't need to do anything else. i.e. you need ssh access to the gateway from the internet, and vnc access from the gateway to the internal machine.

If you don't already have access to ssh on the gateway, you could instead open up access to ssh on the internal machine and direct the vnc to localhost (ie the same machine) instead. You could do this using any port from outside to avoid hacking/botnet attacks.

So vnc is chanelled through ssh using port xxxx to the internal machine on port 22.

No other configuration necessary, and works nicely with macs and all. I do it all the time around the globe.

debianfan · 04-06-2010, 11:11 AM

Thanks Bakdong, ahh that makes sense. One followup question, that may be basic but I wanted to ask. Once the connection is made over SSH how do I actually initiate the screen sharing over VNC? I likely will be using a mac laptop, and the built in screen sharing utility. Do I just need to open it up and direct it to my internal machine's IP? Thanks again for your help.

bakdong · 04-06-2010, 11:41 AM

If you are redirecting using ssh you direct the initial contact to localhost. e.g. I ssh to a server on a remote lan, port forward a vnc connection to my workstation on that lan, then open the vnc client locally and point it at the local machine, port 5900. That's picked up by the ssh and channeled to the machine I forwarded it to. That's a pretty convoluted explanation, sorry, it's getting late here! It can get more complicated (and useful) because you can configure the forwarding to accept connections from other machines, and also reverse connections.... You can also channel two or more vnc connections by changing the local ports. So port 5900 goes to host1:5900, port 5901 goes to host2:5900 etc....

debianfan · 04-06-2010, 02:09 PM

Ok so if I want to connect to the internal server through SSH and then forward VNC to the local loopback on that server (the second option you mentioned earlier), should I use this command:

ssh -L 5900:127.0.0.1:5900 -f -N user@[internal server ip]

And then I get a little confused. So on the remote internal machine I open up the screen sharing (VNC) client and point it to the localhost address? or I open the screen sharing (VNC) client on the machine I am using to control the remote internal server using the IP address below?

[127.0.0.1] or [internal server ip]

Is one of those correct?

I was leaning to your earlier recommended second option because then I only need to allow SSH through the gateway server, and don't have to make any forward rules for VNC traffic on the gateway.

Thanks again.

bakdong · 04-06-2010, 09:40 PM

Quote:

Originally Posted by debianfan

Ok so if I want to connect to the internal server through SSH and then forward VNC to the local loopback on that server (the second option you mentioned earlier), should I use this command:

ssh -L 5900:127.0.0.1:5900 -f -N user@[internal server ip]

Yes, that's right. That takes anything directed at port 5900 on the machine you're running the ssh client on (probably the one you're sitting in front of) and forwards it to the machine that you're sshing to.

Quote:

Originally Posted by debianfan

And then I get a little confused. So on the remote internal machine I open up the screen sharing (VNC) client and point it to the localhost address? or I open the screen sharing (VNC) client on the machine I am using to control the remote internal server using the IP address below?

[127.0.0.1] or [internal server ip]

Is one of those correct?

Yes, the second one. Once you have fired up ssh you forget about it, start the vnc client on the machine you're sitting in front of, direct it at 'localhost::5900' (or just 'localhost', or '127.0.0.1') and you should connect to the remote internal machine.

This is reliant on the fact that you have actually ssh'd to the correct (internal server) to start with, which means you have to set up port forwarding on your router/gateway to direct a port there.

Quote:

Originally Posted by debianfan

I was leaning to your earlier recommended second option because then I only need to allow SSH through the gateway server, and don't have to make any forward rules for VNC traffic on the gateway.

You only have to deal with ssh traffic anyway. The vnc traffic is tunneled and not seen until it emerges.

javaroast · 04-09-2010, 04:28 PM

use the vncserver -localhost to start the VNCserver session. That way VNC only answers to connections coming from localhost.

SuperJediWombat! · 04-18-2010, 07:29 AM

If you are only wanting vnc over ssh, the iptables rules you would want should block everything except the ssh port.

Code:

iptables -F INPUT
iptables -P DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

That will:
Flush (-F) all the rules in the INPUT chain
Change the default policy to drop all incoming packets.
Allow all traffic on the loopback interface (127.0.0.1)
Allow all traffic that is part of a stream you initiated from inside the firewall. (return traffic)
Allow in ssh traffic from the outside.

All of the VNC traffic looks like localy generated traffic, so you only need to allow in SSH.