LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-29-2004, 02:43 PM   #1
cabo
LQ Newbie
 
Registered: Sep 2003
Distribution: fedora core 1
Posts: 25

Rep: Reputation: 15
realvnc and iptables


i have realvnc installed on two computers and are running a vncserver on my fedora core1 linux box. But there is this iptables firewall

what do i write to open up the ports for realvnc? im only using the fc1 box as a server, and thats port 5901 right?

im a newbie to iptables, and yes i have tried to read oskar anderssons 146 pages of iptable howto.

any help appreciated,

thanx
 
Old 03-29-2004, 11:23 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Basic syntax for opening tcp ports with iptables is:

iptables -A INPUT -p tcp --dport ## -j ACCEPT

Where ## would be the port that the service listens to. With RealVNC, it will listen on 5900+N where N is the number of virtual consoles. So if you just plan on one, it would be 5901 (I would open up more than one though). I would also limit access to only those systems you need to access the VNCserver. So if your VNC client is run off 192.168.1.100 the rule would be:

iptables -A INPUT -p tcp --dport 5900:5905 -s 192.168.1.100 -j ACCEPT

If you plan on running this service directly over the internet or in any environment where others can sniff traffic (like over a hub or work network), I would highly advise tunneling VNC through something like ssh or another encypted protocol. Here is a HOWTO on setting that up:

http://www.uk.research.att.com/archive/vnc/sshvnc.html
 
Old 03-30-2004, 03:52 AM   #3
cabo
LQ Newbie
 
Registered: Sep 2003
Distribution: fedora core 1
Posts: 25

Original Poster
Rep: Reputation: 15
tried that

thanx for responding, tried your line, but when i scan my linuxbox port 5901 is still closed... here's my iptable config:
I want to connect through port 5901.

Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- anywhere anywhere
2 ACCEPT tcp -- anywhere anywhere tcp dpt:5901

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere
2 ACCEPT icmp -- anywhere anywhere icmp any
3 ACCEPT ipv6-crypt-- anywhere anywhere
4 ACCEPT ipv6-auth-- anywhere anywhere
5 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
6 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
7 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

can you see what else could be wrong?
 
Old 03-30-2004, 06:44 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
After glancing at your firewall, it looks like the RH-Firewall-1-INPUT chain is grabbing the packets before the VNC rule we added sees them. Basically our rule is behind another rule that is intercepting and dropping them. So what we need to do is put our rule ahead of the RH-Firewall-1-INPUT rule. So first remove the rule we added using the -D (delete) option. So enter the exact rule, but use -D instead:

iptables -D INPUT -p tcp --dport 5901 -j ACCEPT

Take a look at the iptables rules to verify the rule we added is indeed gone and we are back to where we started. Now go ahead and add the rule again, but use the -I (insert at top) option instead of -A (append to bottom):

iptables -I INPUT -p tcp --dport 5901 -j ACCEPT

Again check your rules to make sure it's been added properly. Should look like this:

Code:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:5901
2 RH-Firewall-1-INPUT all -- anywhere anywhere
That should do the trick.
 
Old 03-31-2004, 12:21 AM   #5
cabo
LQ Newbie
 
Registered: Sep 2003
Distribution: fedora core 1
Posts: 25

Original Poster
Rep: Reputation: 15
thanx, that solved it
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
RealVNC on FC 3 excidy Linux - Software 1 04-04-2005 06:46 AM
where did realvnc go? ampex189 Fedora 2 03-16-2005 04:14 PM
RealVNC aidankitch Linux - Software 2 04-28-2004 03:58 AM
RealVNC compu73rg33k Linux - Software 5 03-13-2004 01:31 AM
realvnc... roofy Linux - Software 5 04-30-2003 09:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:34 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration