iptables - port redirection - VNC
Rudolf Ladyzhenskii
Rudolf.ladyzhenskii at opennw.com
Thu Jun 24 23:40:12 UTC 2004
Hi,
Yes, this is correct. I have just configured my system to be accessable from outside, but I used browser control so I atomatically assumed same situation here. My mistake.
Yes, I am running VNC server on a Windows box behind Linux firewall.
Rudolf
-----Original Message-----
From: Michael Scully [mailto:agentscully at flexiblestrategies.com]
Sent: Friday, June 25, 2004 9:37 AM
To: 'General Red Hat Linux discussion list'
Subject: RE: iptables - port redirection - VNC
Rudolph:
Port 5800 and up are for browser based control. The native VNC
client uses the 5900 and up sockets.
But beware of the port sequences. Using VNC on Linux gives you
virtual X sessions, and they normally start with session 1 since session 0
is the console. The access ports are 5900 PLUS the session. So the first
virtual X session will listen on port 5901, second on 5902, etc. 5901 is
the port you need exposed in the router pinhole, assuming you have VNC
hosting session 1.
If you run VNC server on a Windows box, the concept of virtual
sessions isn't used, so there is only a base 0 session. It's interactive
with the desktop users, so you can both interact with the keyboard, mouse,
etc. So if you're trying to access a Windows machine remote, it IS port
5900 for the pinhole.
Scully
-----Original Message-----
From: redhat-list-bounces at redhat.com [mailto:redhat-list-bounces at redhat.com]
On Behalf Of Rudolf Ladyzhenskii
Sent: Thursday, June 24, 2004 3:36 PM
To: General Red Hat Linux discussion list
Subject: RE: iptables - port redirection - VNC
You have to do port 5800 as well
Rudolf
-----Original Message-----
From: GK [mailto:guskasus at yahoo.com.ar]
Sent: Friday, June 25, 2004 2:19 AM
To: General Red Hat Linux discussion list
Subject: RE: iptables - port redirection - VNC
Thanks Nathaniel!
I put this lines but I still can not connect to my PC`s inside.
I add "-t nat" to the first line because it give me a error. It`s ok?
Do you have another idea?
GusKa.
El jue, 24 de 06 de 2004 a las 12:17, Nathaniel Hall escribió:
> Just by scanning over it pretty quickly, this is what I would do.
>
> $IPTABLES -A PREROUTING -d $PUBLICIP -p tcp -m tcp --dport 5900 -j DNAT
> --to-destination 192.168.10.79:5900
> $IPTABLES -A FORWARD -d 192.168.10.79 -p tcp -m tcp --dport 5900 -j ACCEPT
> $IPTABLES -A PREROUTING -d $PUBLICIP -p tcp -m tcp --dport 80 -j DNAT
> --to-destination 192.168.10.80:80
> $IPTABLES -A FORWARD -d 192.168.10.80 -p tcp -m tcp --dport 80 -j ACCEPT
>
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~
> Nathaniel Hall
> Intrusion Detection and Firewall Technician
> Ozarks Technical Community College -- Office of Computer Networking
> 417-799-0552
>
>
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com]
> On Behalf Of GK
> Sent: Thursday, June 24, 2004 10:06 AM
> To: redhat-list at redhat.com
> Subject: iptables - port redirection - VNC
>
> Hi, I am newbie in iptables. I must be do something bad. Are there a
> expert in iptables? Sure!
> I need do port redirection from outside (internet) to inside (one
> especific PC). But the packets from Internet to my public IP (port 5900)
> are DROPed.
> I need access via VNC from Internet to LAN inside and another ports
> (8080). These are a few lines from my script to configure iptables.
>
> Somebody can help me, please?
> Does anyone have any ideas?
> Thanks in advance,
>
> GusKa.
>
> ---------------------
>
> # eth0 local interface to Internet.
> # eth1 local interface to private LAN.
> # ppp0
>
> #PRIVATE= private LAN
> #EXTINT= Outside interface
> #INTINT= Inside Interface
> #EXTPPP= Outside public Interface
> #PUBLICIP= My Public IP
>
>
> PRIVATE=192.168.10.0/24
> EXTINT=eth0
> INTINT=eth1
> EXTPPP=ppp0
> PUBLICIP=201.254.205.12
> LOOP=127.0.0.1
>
> $IPTABLES -P OUTPUT ACCEPT
> $IPTABLES -P INPUT DROP
> $IPTABLES -P FORWARD DROP
>
>
> # NAT to Outside.
> $IPTABLES -t nat -A POSTROUTING -s $PRIVATE -p tcp -o $EXTPPP -j SNAT
> --to $PUBLICIP
>
>
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # VNC to PC inside (private LAN)
> $IPTABLES -A PREROUTING -t nat -p tcp -d $PUBLICIP --dport 5900 -j DNAT
> --to 192.168.10.79:5900
> $IPTABLES -A FORWARD -i $EXTINT -o $INTINT -p tcp --dport 5900 -m state
> --state NEW,ESTABLISHED,RELATED -j ACCEPT
> # HTTP 8080 to server inside httpd
> $IPTABLES -A PREROUTING -t nat -p tcp -d $PUBLICIP --dport 8080 -j DNAT
> --to 192.168.10.80:80
> $IPTABLES -A FORWARD -i $EXTINT -o $INTINT -p tcp --dport 8080 -m state
> --state NEW,ESTABLISHED,RELATED -j ACCEPT
>
> # www, dns, smtp are open
> $IPTABLES -A INPUT -p tcp --dport http -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport smtp -j ACCEPT
> $IPTABLES -A INPUT -p tcp --dport domain -j ACCEPT
> $IPTABLES -A INPUT -p udp --dport domain -j ACCEPT
>
>
> # Masquerading rule
> $IPTABLES -A INPUT -s $PRIVATE -m state --state NEW -j ACCEPT
> $IPTABLES -A OUTPUT -s $PRIVATE -m state --state NEW -j ACCEPT
> $IPTABLES -A FORWARD -s $PRIVATE -m state --state NEW -j ACCEPT
>
>
> # All in loopack
> $IPTABLES -A INPUT -i lo -j ACCEPT
> $IPTABLES -A OUTPUT -o lo -j ACCEPT
>
>
> # All in private LAN
> $IPTABLES -A INPUT -i $INTINT -j ACCEPT
> $IPTABLES -A FORWARD -i $INTINT -j ACCEPT
>
> $IPTABLES -A INPUT -j DROP
> $IPTABLES -A FORWARD -j DROP
>
>
>
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list