ipchains/ipmasqadm and VNC

Scott G. Ainsworth scott "at" ainsworth.exis.net
Thu, 09 Nov 2000 17:00:16 +0000


I do exactly the same thing, so I checked my rules.  I think your problem is
that you are specifying a source port of 5900 or above in your input rule.
I just checked my current connection; the source port is 1383.

Scott Ainsworth

> -----Original Message-----
> From: owner-vnc-list "at" uk.research.att.com
> [mailto:owner-vnc-list "at" uk.research.att.com]On Behalf Of Erwin
> Zierler -
> Stubainet
> Sent: Thursday, November 09, 2000 11:23
> To: vnc-list "at" uk.research.att.com
> Subject: Q: ipchains/ipmasqadm and VNC
>
>
> Hello list,
>
> after reading all avaiable documentation and searching through the
> list archives I am still not able to get VNC running like I
> want it to.
>
> Here is what I want to do:
> I have dialup users wanting to connect from anywhere on the
> Internet (i.e.
> dynamic ip addresses) via a firewall (Linux 2.2.* kernel with
> ipchains)
> to an NT machine inside the internal LAN running the VNC server.
>
> Note: I also have an NT machine inside the LAN running MS Exchange
> and I am successfully using ipmasqadm portfw to forward all incoming
> and outgoing smtp traffic to and from that NT machine via the
> firewall.
>
> Trying the same procedure for VNC traffic simply does not
> work, what ever
> I try. I though I am familiar enough with the ipchains and
> ipmasqadm rules
> to get VNC working just like I did with smtp but either my
> assumption is
> plain wrong or I am missing some crucial part :)
>
> Here are the rules (of the VNC part only) :
>
> # Local host main IP
> LocalHost="xxx.xxx.xxx.xxx"   <- changed for security reasons
> LocalVNCHost="192.168.15.xxx" <- changed for security reasons
> # Physical interfaces
> ExternalInterface="eth0"
> InternalInterface="eth1"
> # Ports and port ranges
> UnPrivPorts="1024:65535"
>
> # accept any packets from ports above 5900 from anywhere to
> port 5900 on the
> firewall's external interface
> ipchains -A input -s 0.0.0.0/0 5900: -d $LocalHost 5900 -p tcp -i
> $ExternalInterface -j ACCEPT --log
> ipchains -A output -s $LocalHost 5900: -d 0.0.0.0/0 5900: -p tcp -i
> $ExternalInterface -j ACCEPT --log
> ipmasqadm portfw -a -P tcp -L $LocalHost 5900 -R $LocalVNCHost 5900
>
> For a comparison with a working set of rules that does the
> above mentioned
> SMTP part - these are
> working rules:
>
> ipchains -A input -s 0.0.0.0/0 1024: -d $LocalHost 25 -p tcp -j ACCEPT
> ipchains -A output -s $LocalHost smtp -d 0.0.0.0/0 1024: -p
> tcp -j ACCEPT
> ipmasqadm portfw -a -P tcp -L $LocalHost 25 -R
> $InternalMailHost 25:$UnPrivPorts
> ipmasqadm portfw -a -P udp -L $LocalHost 25 -R
> $InternalMailHost 25:$UnPrivPorts
>
> Ok, sorry for this long posting and many thanks in advance
> for any help.
>
> Regards,
>  Erwin
> ---------------------------------------------------------------------
> To unsubscribe, send a message with the line: unsubscribe vnc-list
> to majordomo "at" uk.research.att.com
> See also: http://www.uk.research.att.com/vnc/intouch.html
> ---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------