RE: iptables - port redirection - VNC

From: Michael Scully (agentscully_at_flexiblestrategies.com)
Date: 06/25/04

  • Next message: Rudolf Ladyzhenskii: "RE: iptables - port redirection - VNC" 
    To: "'General Red Hat Linux discussion list'" <redhat-list@redhat.com>
Date: Thu, 24 Jun 2004 16:36:33 -0700

    Rudolph:

            Port 5800 and up are for browser based control. The native VNC
    client uses the 5900 and up sockets.

            But beware of the port sequences. Using VNC on Linux gives you
    virtual X sessions, and they normally start with session 1 since session 0
    is the console. The access ports are 5900 PLUS the session. So the first
    virtual X session will listen on port 5901, second on 5902, etc. 5901 is
    the port you need exposed in the router pinhole, assuming you have VNC
    hosting session 1.

            If you run VNC server on a Windows box, the concept of virtual
    sessions isn't used, so there is only a base 0 session. It's interactive
    with the desktop users, so you can both interact with the keyboard, mouse,
    etc. So if you're trying to access a Windows machine remote, it IS port
    5900 for the pinhole.

    Scully

    -----Original Message-----
    From: redhat-list-bounces@redhat.com [mailto:redhat-list-bounces@redhat.com]
    On Behalf Of Rudolf Ladyzhenskii
    Sent: Thursday, June 24, 2004 3:36 PM
    To: General Red Hat Linux discussion list
    Subject: RE: iptables - port redirection - VNC

    You have to do port 5800 as well

    Rudolf

    -----Original Message-----
    From: GK [mailto:guskasus@yahoo.com.ar]
    Sent: Friday, June 25, 2004 2:19 AM
    To: General Red Hat Linux discussion list
    Subject: RE: iptables - port redirection - VNC

    Thanks Nathaniel!
    I put this lines but I still can not connect to my PC`s inside.
    I add "-t nat" to the first line because it give me a error. It`s ok?

    Do you have another idea?

    GusKa.

    El jue, 24 de 06 de 2004 a las 12:17, Nathaniel Hall escribió:

    > Just by scanning over it pretty quickly, this is what I would do.
    >
    > $IPTABLES -A PREROUTING -d $PUBLICIP -p tcp -m tcp --dport 5900 -j DNAT
    > --to-destination 192.168.10.79:5900
    > $IPTABLES -A FORWARD -d 192.168.10.79 -p tcp -m tcp --dport 5900 -j ACCEPT
    > $IPTABLES -A PREROUTING -d $PUBLICIP -p tcp -m tcp --dport 80 -j DNAT
    > --to-destination 192.168.10.80:80
    > $IPTABLES -A FORWARD -d 192.168.10.80 -p tcp -m tcp --dport 80 -j ACCEPT
    >
    >
    > ~~~~~~~~~~~~~~~~~~~~~~~~~~
    > Nathaniel Hall
    > Intrusion Detection and Firewall Technician
    > Ozarks Technical Community College -- Office of Computer Networking
    > 417-799-0552
    >
    >
    > -----Original Message-----
    > From: redhat-list-bounces@redhat.com
    [mailto:redhat-list-bounces@redhat.com]
    > On Behalf Of GK
    > Sent: Thursday, June 24, 2004 10:06 AM
    > To: redhat-list@redhat.com
    > Subject: iptables - port redirection - VNC
    >
    > Hi, I am newbie in iptables. I must be do something bad. Are there a
    > expert in iptables? Sure!
    > I need do port redirection from outside (internet) to inside (one
    > especific PC). But the packets from Internet to my public IP (port 5900)
    > are DROPed.
    > I need access via VNC from Internet to LAN inside and another ports
    > (8080). These are a few lines from my script to configure iptables.
    >
    > Somebody can help me, please?
    > Does anyone have any ideas?
    > Thanks in advance,
    >
    > GusKa.
    >
    > ---------------------
    >
    > # eth0 local interface to Internet.
    > # eth1 local interface to private LAN.
    > # ppp0
    >
    > #PRIVATE= private LAN
    > #EXTINT= Outside interface
    > #INTINT= Inside Interface
    > #EXTPPP= Outside public Interface
    > #PUBLICIP= My Public IP
    >
    >
    > PRIVATE=192.168.10.0/24
    > EXTINT=eth0
    > INTINT=eth1
    > EXTPPP=ppp0
    > PUBLICIP=201.254.205.12
    > LOOP=127.0.0.1
    >
    > $IPTABLES -P OUTPUT ACCEPT
    > $IPTABLES -P INPUT DROP
    > $IPTABLES -P FORWARD DROP
    >
    >
    > # NAT to Outside.
    > $IPTABLES -t nat -A POSTROUTING -s $PRIVATE -p tcp -o $EXTPPP -j SNAT
    > --to $PUBLICIP
    >
    >
    > $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    > $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    >
    > # VNC to PC inside (private LAN)
    > $IPTABLES -A PREROUTING -t nat -p tcp -d $PUBLICIP --dport 5900 -j DNAT
    > --to 192.168.10.79:5900
    > $IPTABLES -A FORWARD -i $EXTINT -o $INTINT -p tcp --dport 5900 -m state
    > --state NEW,ESTABLISHED,RELATED -j ACCEPT
    > # HTTP 8080 to server inside httpd
    > $IPTABLES -A PREROUTING -t nat -p tcp -d $PUBLICIP --dport 8080 -j DNAT
    > --to 192.168.10.80:80
    > $IPTABLES -A FORWARD -i $EXTINT -o $INTINT -p tcp --dport 8080 -m state
    > --state NEW,ESTABLISHED,RELATED -j ACCEPT
    >
    > # www, dns, smtp are open
    > $IPTABLES -A INPUT -p tcp --dport http -j ACCEPT
    > $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
    > $IPTABLES -A INPUT -p tcp --dport smtp -j ACCEPT
    > $IPTABLES -A INPUT -p tcp --dport domain -j ACCEPT
    > $IPTABLES -A INPUT -p udp --dport domain -j ACCEPT
    >
    >
    > # Masquerading rule
    > $IPTABLES -A INPUT -s $PRIVATE -m state --state NEW -j ACCEPT
    > $IPTABLES -A OUTPUT -s $PRIVATE -m state --state NEW -j ACCEPT
    > $IPTABLES -A FORWARD -s $PRIVATE -m state --state NEW -j ACCEPT
    >
    >
    > # All in loopack
    > $IPTABLES -A INPUT -i lo -j ACCEPT
    > $IPTABLES -A OUTPUT -o lo -j ACCEPT
    >
    >
    > # All in private LAN
    > $IPTABLES -A INPUT -i $INTINT -j ACCEPT
    > $IPTABLES -A FORWARD -i $INTINT -j ACCEPT
    >
    > $IPTABLES -A INPUT -j DROP
    > $IPTABLES -A FORWARD -j DROP
    >
    >
    >
    >
    > echo 1 > /proc/sys/net/ipv4/ip_forward
    >
    >
    > --
    > redhat-list mailing list
    > unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
    > https://www.redhat.com/mailman/listinfo/redhat-list 

    -- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
  • Next message: Rudolf Ladyzhenskii: "RE: iptables - port redirection - VNC"

    Relevant Pages

    • Re: [SLE] Port forwarding in SuSEfirewall2
      ... > It is the vnc httpd server that redirects my session after logon. ... I redirect port 5801 to the internal machine. ... Then vnc redirects the sessios... ...
      (SuSE)
    • Re: [SLE] VNC
      ... > i can not initiate a session on host:0 via VNCtight. ... the installed version of vnc has nothing to do with desktop sharing. ... "Assign port automatically", and select port lets say 5905. ...
      (SuSE)
    • Help: FTP over SSH to Windows FTP server behind Linux gateway/firewall
      ... How do I encrypt a regular ftp session over SSH with the following ... rp: = remote port: ...
      (comp.security.ssh)
    • Re: nc help needed.
      ... Try to use a different port and see if it is working. ... An example is the NETBIOS Session Service ... the reader of this message is not the intended recipient, ...
      (Security-Basics)
    • RE: iptables - port redirection - VNC
      ... I am running VNC server on a Windows box behind Linux firewall. ... iptables - port redirection - VNC ... virtual X sessions, and they normally start with session 1 since session 0 ...
      (RedHat)