Enabling VNC

gillian gillian.bennett at celentia.com
Wed Oct 20 03:13:52 UTC 2004


On Wed, 2004-10-20 at 10:50, Jeremy Conlin wrote:
> On 2004-10-19 14:02:10 -0400, Volker Kindermann <ml at ps102.de> said:
> > 
> > you need a rule such as
> > $IPTABLES -A INPUT -p tcp -d <linuxmachine> --destination-port 5901 -m 
> > state --state NEW -j ACCEPT
> > 
> > (all one line)
> > 
> > and something like
> > 
> > $IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
> > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > 
> > where $IPTABLES is the path to the iptables binary.
> 
> Well...
> I tried to do those four commands, but it didn't work.  When I tried to 
> connect via my VNC client it said connection refused. :(  Does the 
> iptables command change/write to the /etc/sysconfig/iptables file?  
> Isn't this what defines what comes in and out?  Sorry if my questions 
> are so basic; this is far outside my area of expertise.
> Thanks,
> Jeremy
> 

To get logging output you need to tell iptables to do this. You will
need to add corresponding logging commands to each command you add to
see its effect:

$IPTABLES -A INPUT -p tcp -d <linuxmachine> --destination-port 5901 -m
state --state NEW -j LOG --log-prefix "whatever you want to see in your
log" --log-level DEBUG 

$IPTABLES -A INPUT -p tcp -d <linuxmachine> --destination-port 5901 -m 
 state --state NEW -j ACCEPT

Or something like that. A man of iptables will give you the options of
log-level you can use. Also, you can only use 29 char or something odd
like that in your log-prefix (this is what will be added to your log
file entry to identify where the log message is from). From my kernel
file for example, I have:

Oct 11 21:20:36 linuxmachine kernel: DROP TCP PKT IN=eth0 OUT=
MAC=00:03:47:d0:3b:cb:00:90:d0:89:c7:fe:08:00 SRC=203.51.164.155
DST=192.168.79.254 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=62719 DF
PROTO=TCP SPT=4236 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0

The log-prefix is "DROP TCP PKT IN " so this entry is easily identified
in the iptables file. The log-level here is "info". Just one caution -
limit the use of logging, esp to start with, otherwise you will end up
with a HUGE kernel file and won't be able to keep track of all the
messages (been there done that ;D )

ta, gb




More information about the fedora-list mailing list