Java Viewer & SSH port forwarding configuration
Michael F. Murphy
Wed Nov 13 13:40:01 2002
>> Gateway has iptables with the following relevant rules:
>> /sbin/iptables -A tcpin -p tcp --dport 5980 -j ACCEPT
>> /sbin/iptables -A tcpin -p tcp --dport 5880 -j ACCEPT
>If you are using SSH tunneling you don't need these ports open.
These are the ports that SSH opens up from the server on to the Gateway
for VNC Viewers to connect to.
I think I need the ports open through the gateway for viewers to connect to
my gateway because they
(the viewers)are not using SSH tunneling, only the servers are.
The reason I use the gateway is that the VNC servers might be behind a
NAT/Masqueraded firewall for example and not reachable from the public net.
So the Gateway will be a proxy VNC server at a well known IP
This is the diagram:
Arbitrary VNC Server <=== SSH ====> Gateway <----public net -->Arbitrary VNC
(localhost:5880/5980) 22/ssh 22/ssh (5980/5880) (using
If I had another person who wanted to serve I would have him use SSH
to the gateway and open say 5990/5890. His counterpart viewer would
>I'm not sure I follow you here. Just using SSL on the https port will not
>encrypt the VNC traffic from the Java viewer to the gateway, just the
>delivery of the applet.
Duh = Brain lock :-)
I'm still trying to think of a dead simple way to get an encrypted screen
using a browser . The VNC position of building on, not building in,
while elegant technically, is working against me for "new user comfort
on a shoestring budget (manhours and $$$).
The viewers have to "install" the security if it is not in the
So I kind of glommed on to SSL before realizing (in the morning!)that the
nothing to do with the browser connection ;-(
So far I'm thinking it's one of:
(1) Don't worry about encryption nobody will bother
(2) Put the MindTerm SSH application on the gateway and have viewers connect
via ssh applet using a guest account (:-() then connect to the VNC server if
they are concerned about encryption. (License issues?)
(3) I suppose I could hack the applet but that's not in the guerilla budget