[SOLVED] Struggling to connect to Ubuntu server using VNC

adamthekiwi · 11-10-2017, 06:56 AM

Hi folks,

I have an Ubuntu headless server (17.04) that I want to use for virtualisation and access using VNC. The two main clients that I'm trying to use for this are Windows 10, although I've also tried from a xenial laptop. This is all being accessed on my home LAN.

tl;dr Installed TightVNC server, running OK, all ports appear to be open on server, clients can't connect, nmap suggests only ports 22, 8000 and 8001 are open - can anyone help?

Long version:

On the server (hostname 'numbersix', ip 192.168.1.6) I've installed TightVNC server and Xfce. I've installed TightVNC as a systemd service - this all seems to work, as, after starting 'sudo systemctl status vncserver@1' gives:

Code:

● vncserver@1.service - Start TightVNC server at startup
   Loaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2017-11-09 21:38:13 GMT; 6s ago
  Process: 3924 ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :1 (code=exited, status=0/SUCCESS)
  Process: 3916 ExecStartPre=/usr/bin/vncserver -kill :1 > /dev/null 2>&1 (code=exited, status=2)
 Main PID: 3937 (Xtightvnc)
    Tasks: 0 (limit: 4915)
   CGroup: /system.slice/system-vncserver.slice/vncserver@1.service
           ‣ 3937 Xtightvnc :1 -desktop X -auth /home/adam/.Xauthority -geometry 
1280x800 -depth 24 -rfbwait 120000 -rfbauth /h

Nov 09 21:38:12 numbersix systemd[1]: Starting Start TightVNC server at startup...
Nov 09 21:38:12 numbersix systemd[3916]: pam_unix(login:session): session opened for user adam by (uid=0)
Nov 09 21:38:12 numbersix systemd[3924]: pam_unix(login:session): session opened for user adam by (uid=0)
Nov 09 21:38:13 numbersix systemd[1]: Started Start TightVNC server at startup.

'sudo netstat -nlpt | grep -i vnc' gives:

Code:

tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN      3937/Xtightvnc
tcp        0      0 0.0.0.0:6001            0.0.0.0:*               LISTEN      3937/Xtightvnc

'nmap numbersix' (run locally) gives:

Code:

Nmap scan report for numbersix (127.0.1.1)
Host is up (0.000014s latency).
Other addresses for numbersix (not scanned): 192.168.1.6
Not shown: 989 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
5901/tcp open  vnc-1
6001/tcp open  X11:1
8000/tcp open  http-alt
8001/tcp open  vcom-tunnel
8080/tcp open  http-proxy
9091/tcp open  xmltec-xmlmail

Nmap done: 1 IP address (1 host up) scanned in 1.66 seconds

Finally, I had a check of iptables - the output is pretty huge:

Code:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
INPUT_direct  all  --  anywhere             anywhere
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere
INPUT_ZONES  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
FORWARD_direct  all  --  anywhere             anywhere
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere
FORWARD_IN_ZONES  all  --  anywhere             anywhere
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere
FORWARD_OUT_ZONES  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
OUTPUT_direct  all  --  anywhere             anywhere

Chain DOCKER (1 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain FORWARD_IN_ZONES (1 references)
target     prot opt source               destination
FWDI_public  all  --  anywhere             anywhere            [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain FORWARD_OUT_ZONES (1 references)
target     prot opt source               destination
FWDO_public  all  --  anywhere             anywhere            [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain FORWARD_direct (1 references)
target     prot opt source               destination

Chain FWDI_public (1 references)
target     prot opt source               destination
FWDI_public_log  all  --  anywhere             anywhere
FWDI_public_deny  all  --  anywhere             anywhere
FWDI_public_allow  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere

Chain FWDI_public_allow (1 references)
target     prot opt source               destination

Chain FWDI_public_deny (1 references)
target     prot opt source               destination

Chain FWDI_public_log (1 references)
target     prot opt source               destination

Chain FWDO_public (1 references)
target     prot opt source               destination
FWDO_public_log  all  --  anywhere             anywhere
FWDO_public_deny  all  --  anywhere             anywhere
FWDO_public_allow  all  --  anywhere             anywhere

Chain FWDO_public_allow (1 references)
target     prot opt source               destination

Chain FWDO_public_deny (1 references)
target     prot opt source               destination

Chain FWDO_public_log (1 references)
target     prot opt source               destination

Chain INPUT_ZONES (1 references)
target     prot opt source               destination
IN_public  all  --  anywhere             anywhere            [goto]

Chain INPUT_ZONES_SOURCE (1 references)
target     prot opt source               destination

Chain INPUT_direct (1 references)
target     prot opt source               destination

Chain IN_public (1 references)
target     prot opt source               destination
IN_public_log  all  --  anywhere             anywhere
IN_public_deny  all  --  anywhere             anywhere
IN_public_allow  all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere

Chain IN_public_allow (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8000 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8001 ctstate NEW
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:64667 ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination

Chain IN_public_log (1 references)
target     prot opt source               destination

Chain OUTPUT_direct (1 references)
target     prot opt source               destination

Now, line six of the INPUT chain suggests that everything is open - is that right?

Running 'sudo nmap numbersix' from my Ubuntu laptop gives:

Code:

Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-10 12:50 GMT
Nmap scan report for numbersix (192.168.1.6)
Host is up (0.0032s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
8000/tcp open  http-alt
8001/tcp open  vcom-tunnel
MAC Address: 60:45:CB:64:2B:C8 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds

What am I missing?

Adam...

angel115 · 11-10-2017, 07:04 AM

Correct me if I'm wrong, but VNC is mainly to connect to a remote host which have a UI.
Ubuntu server don't have any.

Is there any reason why you can't use SSH? (as I can see you have an ssh server running on your machine)
Why do you need VNC?

adamthekiwi · 11-10-2017, 07:22 AM

Hi angel115,

Yes, you're right, but TightVNC starts up a graphical desktop - in this case, I've set it up to (in theory) start Xfce - ~/.vnc/xstartup contains

Code:

#!/bin/bash
xrdb $HOME/.Xresources
startxfce4 &

Yes, you're also right - I can use (and am using) ssh. This is less about VNC now and more about me understanding what is going on!

Cheers - Adam...

adamthekiwi · 11-14-2017, 01:50 PM

Hi folks - can no-one assist me with this one?

Hackerit · 11-16-2017, 11:05 AM

Can you login to Xfce and see GUI locally?

adamthekiwi · 11-16-2017, 11:39 AM

Hi Hackerit,

I've not tried yet - it's a headless server. I can move the box to within range of a monitor, find a monitor cable and connect a spare keyboard & mouse and check - but, really, the problem is that the network port is not open when netstat is reporting that it is and there is an application (tightvncserver, in this case) listening on it. The same applies to a whole host of other ports...

Cheers - Adam...

adamthekiwi · 11-18-2017, 05:40 AM

Hi folks,

Answering my own problem, for the benefit of anyone else who, like me, struggles with getting their head around iptables.

The answer lay in my failure to understand iptables - and particularly what the output from 'sudo iptables -L' meant...

When I instead ran 'sudo iptables -S', I was presented with a much fuller description of each rule, and it was obvious then that there wasn't a suitable INPUT rule that was allowing tcp traffic on 5901 (or any of the other ports I was looking at) through. Then the final INPUT rule, which was essentially REJECTing everything that didn't match a rule, was collecting this traffic. The rule that I thought should have been ACCEPTing the traffic applied only to the lo interface (loopback).

I ran this:

Code:

sudo iptables -I INPUT 7 -s 192.168.1.0/24 -i enp37s0 -j ACCEPT

That's basically inserting a rule at line 7 of the INPUT chain, and telling it to ACCEPT any traffic from the 192.168.1.0/24 subnet arriving on the ethernet port.

The next challenge is getting iptables-persistent to actually work on reboot!!