Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
After spending a lot of time getting a VNC viewer to display my RHEL 5.3system console on a remote Windows PC, I am now being asked to block access to the service for everybody except the LAN (10.10.10.x).
My strategy was to start by blocking the port (5804) for everybody and then putting in a rule to allow access from the LAN.
I issued the following commands, which given my limited expertise with iptables I believed would totally close the port to the entire world:
But I can still access VNC from anywhere. What am I doing wrong?
(Here is the background of how I set up VNC, in case whoever is looking at this feels it is relevant
I started the VNC service by issuing the command:
# vncserver -geometry 1024x768 -depth 16 :4
:1 :2 and :3 failed, don't ask me why.
Also could not start the service using /etc/rc.d/init.d/vncserver or
/root/.vnc/xstartup. Again, don't know why. Only the above command works.
So now I can access the console either via Real VNC at server:4 or
via a browser at http://server:5804.
I don't know if this matters, but when I run 'nmap localhost' on the vnc server I do not see port 5804 but do see X11 port 6004.
Dude, can I urge you NOT to use vnc? it's horrible. 58xx is *only* for serving the java client applet. This is NOT the vnc connection, that will be on 59xx instead, so *IF* your iptable rules were working, they'd be useless against anyone with their own vnc client already.
For your iptables rule itself, you're filtering a *SOURCE* port in input, which is wrong, you've no idea what the source port is, only the destination. and 0.0.0.0/24 only covers IP's 0.0.0.0 to 0.0.0.255
So, instead, *PLEASE* use nx instead. From nomachine.com. Deep down inside there is some vnc code, but it's secure, runs inside an ssh connection and is just alround nice. if you see mention of nx and freenx, the freenx server just allows unlimited connections (it used to be the only free server, but now nomachine.com provide an "admin use" level server for free too, which is real nice, so there's no need for you to use freenx at all, which makes things even easier). So please please don't use VNC. it is evil.
Thanks for your suggestion and I will check out nx, but my management has assigned me to implement VNC, so that's what I'm stuck with in the short term.
If I'm hearing you correctly about iptables, you are saying:
1. My only concern is the destination port
2. I am using IP addresses incorrectly.
3. I need to be concerned about ports in the 5900-5999 range.
So what if I tried this:
iptables -A INPUT -p tcp --dport 5800:5999 -j REJECT
iptables -A OUTPUT -p tcp --dport 5800:5999 -j REJECT
iot would depend if vncserver is built against libwrap or not, I'd not be too sure.
as for the iptables like, the INPUT one should work, the OUTPUT one is wrong but also unncessary anyway. It totally depends how it fits in with any other existing iptables rules though.
5800 to 5999 will cover displays 0 to 99, but if, for example a service on screen 201 was started you'd once again have full access to it, as it would run on ports 6001 and 6101. What kind of a crappy model is that???? VNC. Boooo.
Pentode, how would I use /etc/hosts.allow and /etc/hosts.deny to make this happen?
Right now both of those files are blank on my system. Do listings in these files take precedence over iptables rules?
Chris, I did try the iptables rules:
iptables -A INPUT -p tcp --dport 5800:5999 -j REJECT
but I was still able to access vnc from my desktop.
Thank you for your response. I tried to comment out the rules which allow loopback, and then explicitly rejected loopback, but in both cases I was still able to access VNC from my desktop.
My firewall approach IS to start with iptables -P INPUT DROP and then open specific ports. My understanding is that the high number ports are open by default and need to be specifically closed? Even so, my rule 'iptables -A INPUT -p tcp --dport 5800:5999 -j REJECT' does not have the effect of closing the ports.
(FYI, my rule to allow loopback is iptables -A INPUT -i 127.0.0.1 -j ACCEPT)
Thank you for your response. I tried to comment out the rules which allow loopback, and then explicitly rejected loopback, but in both cases I was still able to access VNC from my desktop.
My firewall approach IS to start with iptables -P IUT DROP and then open specific ports. My understanding is that the high number ports are open by default and need to be specifically closed? Even so, my rule 'iptables -A INPUT -p tcp --dport 5800:5999 -j REJECT' does not have the effect of closing the ports.
(FYI, my rule to allow loopback is iptables -A INPUT -i 127.0.0.1 -j ACCEPT)
Any other ideas?
Thanks,
SS
If you explicitly DROP all packets at the beginning of the script everything will be dropped by default. Make sure to especify the incoming interface.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.