Q: ipchains/ipmasqadm and VNC

Erwin Zierler - Stubainet Erwin.Zierler "at" stubainet.at
Thu, 09 Nov 2000 16:26:15 +0000


Hello list,

after reading all avaiable documentation and searching through the
list archives I am still not able to get VNC running like I want it to.

Here is what I want to do:
I have dialup users wanting to connect from anywhere on the Internet (i.e.
dynamic ip addresses) via a firewall (Linux 2.2.* kernel with ipchains)
to an NT machine inside the internal LAN running the VNC server.

Note: I also have an NT machine inside the LAN running MS Exchange 
and I am successfully using ipmasqadm portfw to forward all incoming
and outgoing smtp traffic to and from that NT machine via the firewall.

Trying the same procedure for VNC traffic simply does not work, what ever
I try. I though I am familiar enough with the ipchains and ipmasqadm rules
to get VNC working just like I did with smtp but either my assumption is 
plain wrong or I am missing some crucial part :)

Here are the rules (of the VNC part only) :

# Local host main IP 
LocalHost="xxx.xxx.xxx.xxx"   <- changed for security reasons
LocalVNCHost="192.168.15.xxx" <- changed for security reasons
# Physical interfaces 
ExternalInterface="eth0"
InternalInterface="eth1"
# Ports and port ranges
UnPrivPorts="1024:65535"

# accept any packets from ports above 5900 from anywhere to port 5900 on the
firewall's external interface
ipchains -A input -s 0.0.0.0/0 5900: -d $LocalHost 5900 -p tcp -i
$ExternalInterface -j ACCEPT --log
ipchains -A output -s $LocalHost 5900: -d 0.0.0.0/0 5900: -p tcp -i
$ExternalInterface -j ACCEPT --log
ipmasqadm portfw -a -P tcp -L $LocalHost 5900 -R $LocalVNCHost 5900

For a comparison with a working set of rules that does the above mentioned
SMTP part - these are
working rules:

ipchains -A input -s 0.0.0.0/0 1024: -d $LocalHost 25 -p tcp -j ACCEPT
ipchains -A output -s $LocalHost smtp -d 0.0.0.0/0 1024: -p tcp -j ACCEPT
ipmasqadm portfw -a -P tcp -L $LocalHost 25 -R $InternalMailHost 25:$UnPrivPorts
ipmasqadm portfw -a -P udp -L $LocalHost 25 -R $InternalMailHost 25:$UnPrivPorts

Ok, sorry for this long posting and many thanks in advance for any help.

Regards,
 Erwin
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------