hi all happy new year 2005

i have these netowork

inet ----- modem ----- ppp0 - linux -- eth0 ------
|- eth1 ------ switch ----- LAN y VoIP
|- eth2 ------

see
http://www.uk.research.att.com/archive/vnc/faq.html#q53

here say that vnc use ports 5900 .

in mi lan i have a windows xp with ip: 192.168.0.49 here i run runvnc server, in mi internet server i have a public static ip: 200.67.91.138 and internal ip: 192.168.0.1 here i use redhat 9 if here i type:

[root@ServerWB root]# telnet 192.168.0.49 5900 Trying 192.168.0.49...
Connected to 192.168.0.49 (192.168.0.49).
Escape character is '^]'.
RFB 003.007

i checked that vnc server are running on 192.168.0.49

now i want a rule for enter from internet to my internal vnc located in:
192.168.0.49

i have these rule: (for redirect my webserver.... if the port are 8080)

iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.49:80

these rule worked

i try these rules:

iptables -t nat -A PREROUTING -i ppp0 -p tcp -m tcp --dport 5902 -j DNAT --to-destination 192.168.0.49:5900

iptables -t nat -A PREROUTING -i ppp0 -p udp -m udp --dport 5902 -j DNAT --to-destination 192.168.0.49:5900


but not worked, i try listen the port 5902 in my server with tcpdump:

[root@ServerWB root]# tcpdump -i ppp0 -n port 5902
tcpdump: listening on ppp0
13:47:11.329812 213.97.57.33.47046 > 200.67.91.138.5902: S 3347177337:3347177337(0) win 5840 <mss 1412,sackOK,timestamp 8889053 0,nop,wscale 0> (DF)
<jak2005> 13:47:18.423784 213.97.57.33.47047 > 200.67.91.138.5902: S 3357505039:3357505039(0) win 5840 <mss 1412,sackOK,timestamp 8889763 0,nop,wscale 0> (DF)
<jak2005> 13:47:28.691019 80.102.225.84.33645 > 200.67.91.138.5902: S 221488468:221488468(0) win 5840 <mss 1412> (DF)


aparently all are ok, but not connected to vnc....

not know if my problem are in the INPUT table of iptables....


[root@ServerWB root]# vi /etc/sysconfig/iptables

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 5800:5999 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT


any comments?

thanks

how do your FORWARD and PREROUTING chains look?
do
iptables -nvL
iptables -t nat -nvL
and post the outputs here pls.

good luck

thanks for your reply......
Happy new year...

[root@ServerWB root]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destina

3211K 1846M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destina

44833 12M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
0.0.0/0

Chain OUTPUT (policy ACCEPT 3531K packets, 1879M bytes)
pkts bytes target prot opt in out source destina


Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source destina

137K 43M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0

1739K 1186M ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0

464 33320 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0
icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0

0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0

1371K 629M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0
state RELATED,ESTABLISHED
12 560 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0
state NEW tcp dpt:22
143 8278 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0
state NEW tcp dpt:25
11 656 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0
state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0
state NEW tcp dpts:5800:5999
8515 528K REJECT all -- * * 0.0.0.0/0 0.0.0.0
reject-with icmp-host-prohibited
[root@ServerWB root]#



[root@ServerWB root]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 62846 packets, 4149K bytes)
pkts bytes target prot opt in out source destination
7 424 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:192.168.0.88:80
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080 to:192.168.0.88:80

Chain POSTROUTING (policy ACCEPT 56005 packets, 3317K bytes)
pkts bytes target prot opt in out source destination
105 5900 MASQUERADE all -- * ppp0 192.168.0.88 0.0.0.0/0
73 7791 MASQUERADE all -- * ppp0 192.168.0.4 0.0.0.0/0
4 182 MASQUERADE tcp -- * * 192.168.0.190 0.0.0.0/0 tcp dpt:26

Chain OUTPUT (policy ACCEPT 48293 packets, 2950K bytes)
pkts bytes target prot opt in out source destination
[root@ServerWB root]#

happy new years too

your rules seem ok. can u check what ports listened on xp by VNC?
netstat -an
will show u all of ports. maybe some other ports are neccesary for commination. i dont use vnc, cuse of that im not sure about the ports.

u can try following rules instead of yours (inserting rule instead of appending)so these rules will work firstly:
iptables -t nat -I PREROUTING -i ppp0 -p tcp --dport 5902 -j DNAT --to 192.168.0.49:5900
iptables -I FORWARD -p tcp --dport 5900 -d 192.168.0.49 -j ACCEPT

good luck.

mmmm here are the command: but.... if i try connect from a internal Pc LAN i can connect


C:\WINDOWS>netstat -an

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:59 0.0.0.0:0 LISTENING
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3306 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3723 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3759 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3761 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3762 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3893 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3937 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3966 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3971 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3972 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3973 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4624 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5800 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5900 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3001 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3002 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3003 0.0.0.0:0 LISTENING
TCP 192.168.0.88:139 0.0.0.0:0 LISTENING
TCP 192.168.0.88:445 192.168.0.49:2408 ESTABLISHED
TCP 192.168.0.88:3723 192.168.0.20:8300 ESTABLISHED
TCP 192.168.0.88:3759 192.168.0.1:3128 ESTABLISHED
TCP 192.168.0.88:3761 192.168.0.1:3128 ESTABLISHED
TCP 192.168.0.88:3762 192.168.0.1:3128 ESTABLISHED
TCP 192.168.0.88:3893 192.168.0.1:22 ESTABLISHED
TCP 192.168.0.88:3937 192.168.0.1:3128 ESTABLISHED
TCP 192.168.0.88:3966 192.168.0.1:3128 ESTABLISHED
TCP 192.168.0.88:3971 192.168.0.1:3128 ESTABLISHED
TCP 192.168.0.88:3972 192.168.0.1:3128 ESTABLISHED
TCP 192.168.0.88:3973 192.168.0.1:3128 ESTABLISHED
TCP 192.168.164.1:139 0.0.0.0:0 LISTENING
TCP 192.168.234.1:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1028 *:*
UDP 0.0.0.0:3004 *:*
UDP 0.0.0.0:3158 *:*
UDP 0.0.0.0:3175 *:*
UDP 0.0.0.0:3859 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:3005 *:*
UDP 127.0.0.1:3156 *:*
UDP 127.0.0.1:3178 *:*
UDP 127.0.0.1:3503 *:*
UDP 192.168.0.88:9 *:*
UDP 192.168.0.88:123 *:*
UDP 192.168.0.88:137 *:*
UDP 192.168.0.88:138 *:*
UDP 192.168.0.88:29428 *:*
UDP 192.168.1.188:123 *:*
UDP 192.168.1.188:1900 *:*
UDP 192.168.1.188:40417 *:*
UDP 192.168.164.1:123 *:*
UDP 192.168.164.1:137 *:*
UDP 192.168.164.1:138 *:*
UDP 192.168.164.1:1900 *:*
UDP 192.168.164.1:25701 *:*
UDP 192.168.234.1:123 *:*
UDP 192.168.234.1:137 *:*
UDP 192.168.234.1:138 *:*
UDP 192.168.234.1:1900 *:*
UDP 192.168.234.1:27283 *:*

C:\WINDOWS>

i think those ports are listened by vncserver. run vncserver and do "netstat -an", after that stop vncserver and do "netstat -an" again. check the difference. so u will make sure about vnc server ports.
after that try following rules:
iptables -I FORWARD -m multiport -p tcp --dport $nvcport1,$vncports2,$vncportX -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCPET
iptables -I PREROUTING -i $internet_intarface -p tcp --dport $vncport1 --j DNAT --to $vncserver_ip:$vncport1
iptables -I PREROUTING -i $internet_intarface -p tcp --dport $vncportX --j DNAT --to $vncserver_ip:$vncportX

good luck.