vnc past past firewall and ip-masqing.

Scott C. Best sbest "at" best.com
Wed, 13 Jun 2001 18:52:35 +0000


Shea:
	Heya. Good progress. :) Some thoughts:

> I have vnc running successfully.  I start the vncserver on box B, and
> then can log in w/ xvncviewer on B as well.  I logged into my
> Firewall/Masq box and entered the last two commands.  I tried to vnc
> to my ip C, today at work, but I did not even get a password prompt.

	What I forgot to mention is that ipchains is "order dependent".
So, your old firewall setup, before you added these 2 rules, probably
had as a last rule something like "block everything that makes it
this far". That's a common "last rule" for any firewall script.

	So, what you need to do is *insert* the ipchains rule somewhere
near the top. It's hard to say exactly where is the best place without
seeing your firewall script setup. Probably, somewhere in the middle
there's a section for "enabling external services". Anyhow, to put
the VNC rule at the top, try:

ipchains -I 1 input -s 0.0.0.0/0 -d $IP_EXT/32 5900 -p tcp -j ACCEPT

	That inserts it at 1, rather than -A which just appends it
to the end (after a rule which negates it).

> I am assuming by running the 3 commands you specified, that I am
> opening up port 5900 on my firewall.  If I decide that I won't be using
> vnc for a while, how do I close the port up again?

	You assume correctly. To close the hole you created, you can
either delete the rule you inserted, flush the portfw'ding or just 
re-init your whole firewall. I usually do the latter via the echowall
script I wrote. See 'man ipchains' and 'man ipmasqadm' for the details 
on doing the other two.

> ps - I am guessing that my situation is a very common one.  I was
> suprised not to find it in the FAQ.

	It's a bit firewall specific. A great source for entry-level
Linux firewall support at: lists.sourceforge.net/lists/listinfo/leaf-user

	Hope this helps!

-Scott
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------