ipchains/ipmasqadm and VNC

Bo Berglund bo.berglund "at" telia.com
Thu, 09 Nov 2000 17:39:32 +0000


If ever this starts working I would be a happy receiver of the ipchains
ruleset you use when it works. :-)
I am looking at this as a possible way to connect to a remote location
where I want to put up a Linux firewall based on ipchains.

There are a few things I am wondering about though:
1) The port number 5900 is for the first connection only afaik,
   are you only serving out one connection?
2) I don't know about VNC but applications I write with winsock usually
   listen on a fixed port but will accept on any port number so as not to
   block the listening port. This of course makes things worse at the
firewall
   since the actual port used for communication could be anything.
   What about VNC in this respect?

/Bo Berglund

-----Original Message-----
Here are the rules (of the VNC part only) :

# Local host main IP
LocalHost="xxx.xxx.xxx.xxx"   <- changed for security reasons
LocalVNCHost="192.168.15.xxx" <- changed for security reasons
# Physical interfaces
ExternalInterface="eth0"
InternalInterface="eth1"
# Ports and port ranges
UnPrivPorts="1024:65535"

# accept any packets from ports above 5900 from anywhere to port 5900 on the
firewall's external interface
ipchains -A input -s 0.0.0.0/0 5900: -d $LocalHost 5900 -p tcp -i
$ExternalInterface -j ACCEPT --log
ipchains -A output -s $LocalHost 5900: -d 0.0.0.0/0 5900: -p tcp -i
$ExternalInterface -j ACCEPT --log
ipmasqadm portfw -a -P tcp -L $LocalHost 5900 -R $LocalVNCHost 5900
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------