LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   realvnc and iptables (https://www.linuxquestions.org/questions/linux-security-4/realvnc-and-iptables-163856/)

cabo 03-29-2004 02:43 PM
realvnc and iptables
 
i have realvnc installed on two computers and are running a vncserver on my fedora core1 linux box. But there is this iptables firewall :)

what do i write to open up the ports for realvnc? im only using the fc1 box as a server, and thats port 5901 right?

im a newbie to iptables, and yes i have tried to read oskar anderssons 146 pages of iptable howto.

any help appreciated,

thanx

Capt_Caveman 03-29-2004 11:23 PM
Basic syntax for opening tcp ports with iptables is:

iptables -A INPUT -p tcp --dport ## -j ACCEPT

Where ## would be the port that the service listens to. With RealVNC, it will listen on 5900+N where N is the number of virtual consoles. So if you just plan on one, it would be 5901 (I would open up more than one though). I would also limit access to only those systems you need to access the VNCserver. So if your VNC client is run off 192.168.1.100 the rule would be:

iptables -A INPUT -p tcp --dport 5900:5905 -s 192.168.1.100 -j ACCEPT

If you plan on running this service directly over the internet or in any environment where others can sniff traffic (like over a hub or work network), I would highly advise tunneling VNC through something like ssh or another encypted protocol. Here is a HOWTO on setting that up:

http://www.uk.research.att.com/archive/vnc/sshvnc.html

cabo 03-30-2004 03:52 AM
tried that
 
thanx for responding, tried your line, but when i scan my linuxbox port 5901 is still closed... here's my iptable config:
I want to connect through port 5901.

Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- anywhere anywhere
2 ACCEPT tcp -- anywhere anywhere tcp dpt:5901

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
2 ACCEPT icmp -- anywhere anywhere icmp any
3 ACCEPT ipv6-crypt-- anywhere anywhere
4 ACCEPT ipv6-auth-- anywhere anywhere
5 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
6 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
7 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

can you see what else could be wrong?

Capt_Caveman 03-30-2004 06:44 PM
After glancing at your firewall, it looks like the RH-Firewall-1-INPUT chain is grabbing the packets before the VNC rule we added sees them. Basically our rule is behind another rule that is intercepting and dropping them. So what we need to do is put our rule ahead of the RH-Firewall-1-INPUT rule. So first remove the rule we added using the -D (delete) option. So enter the exact rule, but use -D instead:

iptables -D INPUT -p tcp --dport 5901 -j ACCEPT

Take a look at the iptables rules to verify the rule we added is indeed gone and we are back to where we started. Now go ahead and add the rule again, but use the -I (insert at top) option instead of -A (append to bottom):

iptables -I INPUT -p tcp --dport 5901 -j ACCEPT

Again check your rules to make sure it's been added properly. Should look like this:

Code:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:5901
2 RH-Firewall-1-INPUT all -- anywhere anywhere
That should do the trick.

cabo 03-31-2004 12:21 AM
thanx, that solved it


All times are GMT -5. The time now is 12:19 AM.