LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-15-2006, 02:50 AM   #1
eendoe
LQ Newbie
 
Registered: Sep 2003
Location: Australia
Distribution: Smooth, Deb, Ubu, KNX, RH mainly
Posts: 25

Rep: Reputation: 15
Smile VNC gateway


Trying to setup a vnc gateway i.e. 5800 on ext -> 5800 on int, 5801 on ext -> 5801 on int etc.

This is because hosts on external LAN segment have different gateway, I figure isolating the vnc hosts segment and putting a port forwading router on the main segment will be the best solution. (unless someone know an easy way to distribute to the main segment a route to the isolated segment.


i.e.;

10.10.10.254
router (default LAN gateway)
|
|
|
10.10.10.2 ----->10.10.10.9(ext) | 172.23.23.1 (int)-------> 172.23.23.10
main client.................vnc gatway...................isolated vnc host


Allright, can some firewall guru tell me what I am doing wrong here;


All default rules ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5800 -j DNAT --to-destination 172.23.23.31:5800
iptables -t nat -A POSTROUTING -p tcp -s 172.23.23.0/24 --sport 5800 -j SNAT --to 10.10.10.9


VNC client hits VNC server (routing seems ok) but authentication box does not arrive my guess is vnc server jumps to use different channel / ports for this?



Cheers in advance


een

Last edited by eendoe; 12-15-2006 at 03:01 AM.
 
Old 12-15-2006, 02:53 AM   #2
eendoe
LQ Newbie
 
Registered: Sep 2003
Location: Australia
Distribution: Smooth, Deb, Ubu, KNX, RH mainly
Posts: 25

Original Poster
Rep: Reputation: 15
..........

Last edited by eendoe; 12-15-2006 at 03:00 AM.
 
Old 12-15-2006, 08:00 AM   #3
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
Quote:
Originally Posted by eendoe
This is because hosts on external LAN segment have different gateway, I figure isolating the vnc hosts segment and putting a port forwading router on the main segment will be the best solution. (unless someone know an easy way to distribute to the main segment a route to the isolated segment.


i.e.;

10.10.10.254
router (default LAN gateway)
|
|
|
10.10.10.2 ----->10.10.10.9(ext) | 172.23.23.1 (int)-------> 172.23.23.10
main client.................vnc gatway...................isolated vnc host

VNC client hits VNC server (routing seems ok) but authentication box does not arrive my guess is vnc server jumps to use different channel / ports for this?
I am little confused with the setup, but i'd still try to provide you with a solution (you can change my assumptions for corrections)

What i make out from that diagram is that;
Your client 10.10.10.2 (default gw 10.10.10.254) trying to access vnc server hosted at 172.23.23.10

And hence if those two networks are just part of your LAN segments; i mean if you have got control & access at both of these networks, you really dont even need NATing in this case.

At 10.10.10.254, you can run,
Code:
ip rou add to 172.23.23.10 via 10.10.10.9
or
you can even run this at your 10.10.10.2 box; if its a linux one(the above mentioned route will override default gw & hence you'll be able to ping & route your packets to the destination)

The other issue you got to be sure of to specify your VNC server(host) box to have gateway of 172.23.23.1, so that return packets can come back in this case. You also got to make sure that any firewall (if installed) should allow these packets to traverse through them.
 
Old 12-15-2006, 10:52 AM   #4
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
And yes, as Acid pointed out to me in other post in networking forum, You got to enable ip forwarding at your kernel as well with
Code:
echo 1 >> /proc/sys/net/ipv4/ip_forward
 
Old 12-15-2006, 06:22 PM   #5
eendoe
LQ Newbie
 
Registered: Sep 2003
Location: Australia
Distribution: Smooth, Deb, Ubu, KNX, RH mainly
Posts: 25

Original Poster
Rep: Reputation: 15
Smile Update

Thanks for the help dudes and dudettes,

Thanks for the routing info, yes these had crossed my mind.
yes you are understanding my setup ok.

Yes ip_forward is enabled.


-Problems MAINLAN gateway is not under my control (managed by main site)
-MAINLAN clients are not under my control (cannot add logon script via group policy or autoexec.bat etc to add router to 172.23.23./0/24.

So,

Unless I can advertise the route through some dynamic route advertising protocol (rip + rip listener), please help if you knwo any others, the only way I can easily get hosts on MAINLAN to these 172.23.23.x nodes for vnc is my using this "vnc gateway" on mainlan.



Anyways,

I got this working last night.




$IPTABLES -t nat -A PREROUTING -i $EXTIF -p TCP --dport 5800 -j DNAT --to 172.23.23.31:5800
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p TCP --dport 5900 -j DNAT --to 172.23.23.31:5900


Looks like I needed both 5800 and 5900, web connection etablishment must run through 5800 and session jumps up to 5900 socket?


Funny though, seems like its not absolutely neccissary to SNAT the return packets to MAINLAN.




Cheers for all your help, still like any ideas on that auto route addition (without autonomy) issue.




Later.
 
Old 12-16-2006, 08:42 AM   #6
amitsharma_26
Member
 
Registered: Sep 2005
Location: New delhi
Distribution: RHEL 3.0/4.0
Posts: 777

Rep: Reputation: 31
Quote:
Originally Posted by eendoe
Funny though, seems like its not absolutely neccissary to SNAT the return packets to MAINLAN.
One way NATed packets find their way back on their own. Its a way of functionality with one way NATing.
 
Old 12-20-2006, 06:51 PM   #7
bbjmmj
LQ Newbie
 
Registered: Dec 2006
Posts: 8

Rep: Reputation: 0
maybe like this , i'm not sure :

iptables -A FORWARD -s 10.10.10.9 -p tcp -m tcp --sport 5800 -j ACCEPT
iptables -t nat -A PREROUTING -d 172.23.23.1 -p tcp -m tcp --dport 5800 -j DNAT --to-destination 10.10.10.9
iptables -t nat -A POSTROUTING -d 10.10.10.9 -p tcp -m tcp --dport 5800 -j SNAT --to-source 172.23.23.1
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
VNC connection to SUSE Linux 10 from a Windows XP VNC Viewer determin2excel Linux - Software 13 10-03-2007 09:38 AM
trying to remote to vnc server through vnc client on XP. Kilahchris Linux - Newbie 3 11-22-2006 03:50 PM
windows vnc client and linux vnc server problem tungaw2001 Linux - Software 8 06-17-2006 12:06 AM
Odd problem: Gateway unreachable after certain amount of time (Win XP Gateway) SocialEngineer Linux - Networking 2 08-13-2004 12:54 AM
VNC - Selecting different WindowManagers with VNC cmfarley19 Linux - Software 0 04-16-2003 02:30 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration