Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
12-15-2006, 02:50 AM
|
#1
|
LQ Newbie
Registered: Sep 2003
Location: Australia
Distribution: Smooth, Deb, Ubu, KNX, RH mainly
Posts: 25
Rep:
|
VNC gateway
Trying to setup a vnc gateway i.e. 5800 on ext -> 5800 on int, 5801 on ext -> 5801 on int etc.
This is because hosts on external LAN segment have different gateway, I figure isolating the vnc hosts segment and putting a port forwading router on the main segment will be the best solution. (unless someone know an easy way to distribute to the main segment a route to the isolated segment.
i.e.;
10.10.10.254
router (default LAN gateway)
|
|
|
10.10.10.2 ----->10.10.10.9(ext) | 172.23.23.1 (int)-------> 172.23.23.10
main client.................vnc gatway...................isolated vnc host
Allright, can some firewall guru tell me what I am doing wrong here;
All default rules ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5800 -j DNAT --to-destination 172.23.23.31:5800
iptables -t nat -A POSTROUTING -p tcp -s 172.23.23.0/24 --sport 5800 -j SNAT --to 10.10.10.9
VNC client hits VNC server (routing seems ok) but authentication box does not arrive my guess is vnc server jumps to use different channel / ports for this?
Cheers in advance
een
Last edited by eendoe; 12-15-2006 at 03:01 AM.
|
|
|
12-15-2006, 02:53 AM
|
#2
|
LQ Newbie
Registered: Sep 2003
Location: Australia
Distribution: Smooth, Deb, Ubu, KNX, RH mainly
Posts: 25
Original Poster
Rep:
|
..........
Last edited by eendoe; 12-15-2006 at 03:00 AM.
|
|
|
12-15-2006, 08:00 AM
|
#3
|
Member
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777
Rep:
|
Quote:
Originally Posted by eendoe
This is because hosts on external LAN segment have different gateway, I figure isolating the vnc hosts segment and putting a port forwading router on the main segment will be the best solution. (unless someone know an easy way to distribute to the main segment a route to the isolated segment.
i.e.;
10.10.10.254
router (default LAN gateway)
|
|
|
10.10.10.2 ----->10.10.10.9(ext) | 172.23.23.1 (int)-------> 172.23.23.10
main client.................vnc gatway...................isolated vnc host
VNC client hits VNC server (routing seems ok) but authentication box does not arrive my guess is vnc server jumps to use different channel / ports for this?
|
I am little confused with the setup, but i'd still try to provide you with a solution (you can change my assumptions for corrections)
What i make out from that diagram is that;
Your client 10.10.10.2 (default gw 10.10.10.254) trying to access vnc server hosted at 172.23.23.10
And hence if those two networks are just part of your LAN segments; i mean if you have got control & access at both of these networks, you really dont even need NATing in this case.
At 10.10.10.254, you can run,
Code:
ip rou add to 172.23.23.10 via 10.10.10.9
or
you can even run this at your 10.10.10.2 box; if its a linux one(the above mentioned route will override default gw & hence you'll be able to ping & route your packets to the destination)
The other issue you got to be sure of to specify your VNC server(host) box to have gateway of 172.23.23.1, so that return packets can come back in this case. You also got to make sure that any firewall (if installed) should allow these packets to traverse through them.
|
|
|
12-15-2006, 10:52 AM
|
#4
|
Member
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777
Rep:
|
And yes, as Acid pointed out to me in other post in networking forum, You got to enable ip forwarding at your kernel as well with
Code:
echo 1 >> /proc/sys/net/ipv4/ip_forward
|
|
|
12-15-2006, 06:22 PM
|
#5
|
LQ Newbie
Registered: Sep 2003
Location: Australia
Distribution: Smooth, Deb, Ubu, KNX, RH mainly
Posts: 25
Original Poster
Rep:
|
Update
Thanks for the help dudes and dudettes,
Thanks for the routing info, yes these had crossed my mind.
yes you are understanding my setup ok.
Yes ip_forward is enabled.
-Problems MAINLAN gateway is not under my control (managed by main site)
-MAINLAN clients are not under my control (cannot add logon script via group policy or autoexec.bat etc to add router to 172.23.23./0/24.
So,
Unless I can advertise the route through some dynamic route advertising protocol (rip + rip listener), please help if you knwo any others, the only way I can easily get hosts on MAINLAN to these 172.23.23.x nodes for vnc is my using this "vnc gateway" on mainlan.
Anyways,
I got this working last night.
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p TCP --dport 5800 -j DNAT --to 172.23.23.31:5800
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p TCP --dport 5900 -j DNAT --to 172.23.23.31:5900
Looks like I needed both 5800 and 5900, web connection etablishment must run through 5800 and session jumps up to 5900 socket?
Funny though, seems like its not absolutely neccissary to SNAT the return packets to MAINLAN.
Cheers for all your help, still like any ideas on that auto route addition (without autonomy) issue.
Later.
|
|
|
12-16-2006, 08:42 AM
|
#6
|
Member
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777
Rep:
|
Quote:
Originally Posted by eendoe
Funny though, seems like its not absolutely neccissary to SNAT the return packets to MAINLAN.
|
One way NATed packets find their way back on their own. Its a way of functionality with one way NATing.
|
|
|
12-20-2006, 06:51 PM
|
#7
|
LQ Newbie
Registered: Dec 2006
Posts: 8
Rep:
|
maybe like this , i'm not sure :
iptables -A FORWARD -s 10.10.10.9 -p tcp -m tcp --sport 5800 -j ACCEPT
iptables -t nat -A PREROUTING -d 172.23.23.1 -p tcp -m tcp --dport 5800 -j DNAT --to-destination 10.10.10.9
iptables -t nat -A POSTROUTING -d 10.10.10.9 -p tcp -m tcp --dport 5800 -j SNAT --to-source 172.23.23.1
|
|
|
All times are GMT -5. The time now is 12:39 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|