Q: ipchains/ipmasqadm and VNC

BJ Blanchard blabj "at" mrrm.ca
Thu, 09 Nov 2000 18:14:52 +0000


A more secure approach is either setting up a pptp tunnel (ala VPN) or a redirected SSH connection.  I prefer the redirected SSH connection with port forwarding since you only need to allow one port thru the firewall, and it doesn't have to be a SSH port since you specify a different port on most SSH clients.

BJ.

> Hello list,
> 
> after reading all avaiable documentation and searching through the
> list archives I am still not able to get VNC running like I want it to.
> 
> Here is what I want to do:
> I have dialup users wanting to connect from anywhere on the Internet (i.e.
> dynamic ip addresses) via a firewall (Linux 2.2.* kernel with ipchains)
> to an NT machine inside the internal LAN running the VNC server.
> 
> Note: I also have an NT machine inside the LAN running MS Exchange 
> and I am successfully using ipmasqadm portfw to forward all incoming
> and outgoing smtp traffic to and from that NT machine via the firewall.
> 
> Trying the same procedure for VNC traffic simply does not work, what ever
> I try. I though I am familiar enough with the ipchains and ipmasqadm rules
> to get VNC working just like I did with smtp but either my assumption is 
> plain wrong or I am missing some crucial part :)
> 
> Here are the rules (of the VNC part only) :
> 
> # Local host main IP 
> LocalHost="xxx.xxx.xxx.xxx"   <- changed for security reasons
> LocalVNCHost="192.168.15.xxx" <- changed for security reasons
> # Physical interfaces 
> ExternalInterface="eth0"
> InternalInterface="eth1"
> # Ports and port ranges
> UnPrivPorts="1024:65535"
> 
> # accept any packets from ports above 5900 from anywhere to port 5900 on the
> firewall's external interface
> ipchains -A input -s 0.0.0.0/0 5900: -d $LocalHost 5900 -p tcp -i
> $ExternalInterface -j ACCEPT --log
> ipchains -A output -s $LocalHost 5900: -d 0.0.0.0/0 5900: -p tcp -i
> $ExternalInterface -j ACCEPT --log
> ipmasqadm portfw -a -P tcp -L $LocalHost 5900 -R $LocalVNCHost 5900
> 
> For a comparison with a working set of rules that does the above mentioned
> SMTP part - these are
> working rules:
> 
> ipchains -A input -s 0.0.0.0/0 1024: -d $LocalHost 25 -p tcp -j ACCEPT
> ipchains -A output -s $LocalHost smtp -d 0.0.0.0/0 1024: -p tcp -j ACCEPT
> ipmasqadm portfw -a -P tcp -L $LocalHost 25 -R $InternalMailHost 25:$UnPrivPorts
> ipmasqadm portfw -a -P udp -L $LocalHost 25 -R $InternalMailHost 25:$UnPrivPorts
> 
> Ok, sorry for this long posting and many thanks in advance for any help.
> 
> Regards,
>  Erwin
> ---------------------------------------------------------------------
> To unsubscribe, send a message with the line: unsubscribe vnc-list
> to majordomo "at" uk.research.att.com
> See also: http://www.uk.research.att.com/vnc/intouch.html
> ---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------