Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
You could open the ssh port to the gateway and port forward the vnc port to the internal server. Unless you want to vnc to the gateway there's no need to open that port there.
ssh -L 5900:[internal server ip]:5900 -f -N user@[external gateway ip]
An alternative would be to forward a port to the internal server and use that to ssh direct to that machine. Then use ssh to tunnel the vnc there too.
Thanks for the quick replies. So I just want to make sure I understand the semantics first before I proceed. So essentially I could just open the SSH port, which would then contain my VNC traffic that is forwarded internally. So on the internal machine I would just need to make sure I have input to the SSH and VNC ports accepted, while only leaving the SSH port open on the gateway.
So in the command you included, it is basically saying connect over SSH using the local VNC port and connecting to the internal machine's VNC port and go through this gateway IP. Is that the gist?
Do I need to do any other configuration on the internal machine to get this up and running?
Specifically, if I am using a screen sharing application, what do I need to do once the connection is established to get the screen sharing application to use that tunnel?
Also, as to the alternative option. Would you recommend one over the other? Is there a security advantage to either?
Hey debianfan, don't use vnc. Use nxserver from nomachine. Vnc sucks when there is a high latency. I setup nxserver on our servers in London so that our Oracle DBA can conduct maintenance from the US. It is fast and you don't see a slow down. You can find it at www.nomachine.com. I only found out about this after reading an article on cyberciti.biz.
Will this work with Mac OS X server as well? One of my internal machines is a mac and I ideally would like a solution that works across the board. Thanks for pointing it out.
Thanks for the quick replies. So I just want to make sure I understand the semantics first before I proceed. So essentially I could just open the SSH port, which would then contain my VNC traffic that is forwarded internally. So on the internal machine I would just need to make sure I have input to the SSH and VNC ports accepted, while only leaving the SSH port open on the gateway.
Not quite. You ssh to the gateway and then forward vnc through that to the internal server. If you already have ssh access to the gateway you don't need to do anything else. i.e. you need ssh access to the gateway from the internet, and vnc access from the gateway to the internal machine.
If you don't already have access to ssh on the gateway, you could instead open up access to ssh on the internal machine and direct the vnc to localhost (ie the same machine) instead. You could do this using any port from outside to avoid hacking/botnet attacks.
So vnc is chanelled through ssh using port xxxx to the internal machine on port 22.
No other configuration necessary, and works nicely with macs and all. I do it all the time around the globe.
Thanks Bakdong, ahh that makes sense. One followup question, that may be basic but I wanted to ask. Once the connection is made over SSH how do I actually initiate the screen sharing over VNC? I likely will be using a mac laptop, and the built in screen sharing utility. Do I just need to open it up and direct it to my internal machine's IP? Thanks again for your help.
If you are redirecting using ssh you direct the initial contact to localhost. e.g. I ssh to a server on a remote lan, port forward a vnc connection to my workstation on that lan, then open the vnc client locally and point it at the local machine, port 5900. That's picked up by the ssh and channeled to the machine I forwarded it to. That's a pretty convoluted explanation, sorry, it's getting late here! It can get more complicated (and useful) because you can configure the forwarding to accept connections from other machines, and also reverse connections.... You can also channel two or more vnc connections by changing the local ports. So port 5900 goes to host1:5900, port 5901 goes to host2:5900 etc....
Ok so if I want to connect to the internal server through SSH and then forward VNC to the local loopback on that server (the second option you mentioned earlier), should I use this command:
ssh -L 5900:127.0.0.1:5900 -f -N user@[internal server ip]
And then I get a little confused. So on the remote internal machine I open up the screen sharing (VNC) client and point it to the localhost address? or I open the screen sharing (VNC) client on the machine I am using to control the remote internal server using the IP address below?
[127.0.0.1] or [internal server ip]
Is one of those correct?
I was leaning to your earlier recommended second option because then I only need to allow SSH through the gateway server, and don't have to make any forward rules for VNC traffic on the gateway.
Ok so if I want to connect to the internal server through SSH and then forward VNC to the local loopback on that server (the second option you mentioned earlier), should I use this command:
ssh -L 5900:127.0.0.1:5900 -f -N user@[internal server ip]
Yes, that's right. That takes anything directed at port 5900 on the machine you're running the ssh client on (probably the one you're sitting in front of) and forwards it to the machine that you're sshing to.
Quote:
Originally Posted by debianfan
And then I get a little confused. So on the remote internal machine I open up the screen sharing (VNC) client and point it to the localhost address? or I open the screen sharing (VNC) client on the machine I am using to control the remote internal server using the IP address below?
[127.0.0.1] or [internal server ip]
Is one of those correct?
Yes, the second one. Once you have fired up ssh you forget about it, start the vnc client on the machine you're sitting in front of, direct it at 'localhost::5900' (or just 'localhost', or '127.0.0.1') and you should connect to the remote internal machine.
This is reliant on the fact that you have actually ssh'd to the correct (internal server) to start with, which means you have to set up port forwarding on your router/gateway to direct a port there.
Quote:
Originally Posted by debianfan
I was leaning to your earlier recommended second option because then I only need to allow SSH through the gateway server, and don't have to make any forward rules for VNC traffic on the gateway.
You only have to deal with ssh traffic anyway. The vnc traffic is tunneled and not seen until it emerges.
If you are only wanting vnc over ssh, the iptables rules you would want should block everything except the ssh port.
Code:
iptables -F INPUT
iptables -P DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
That will:
Flush (-F) all the rules in the INPUT chain
Change the default policy to drop all incoming packets.
Allow all traffic on the loopback interface (127.0.0.1)
Allow all traffic that is part of a stream you initiated from inside the firewall. (return traffic)
Allow in ssh traffic from the outside.
All of the VNC traffic looks like localy generated traffic, so you only need to allow in SSH.
Last edited by SuperJediWombat!; 04-18-2010 at 07:31 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.