Firewall piercing (solved)

Renato Salles rsalles@rsnetservices.com.br
Fri Jul 4 15:33:12 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, here we go...
First, we're using RedHat 9.0 here, so, if you're using Slack or something 
different, adapt it to your distro.
I inserted at the very biginning of the /etc/rc.d/init.d/iptables file, 
the following vars:
VNC_PORTS="5900:5999"
IPT="/sbin/iptables"
INET_IFACE="eth1"
# This is the Internet interface The outside one of the firewall

Insert one more related to java connections troug the browser if you use 
it. The ports are 5800:5899. Restrict the number of ports if you want.
Late, near the end, before your POSTROUTING chain (here, it was something 
like: "$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE"
So, before this ruleset add the following:
##############
$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port \
	$VNC_PORTS -j DNAT --to-destination 192.168.0.1:$VNC_PORTS
$IPT -A FORWARD -p tcp -i $INET_IFACE -d 192.168.0.1:$VNC_PORTS
##############

Replace the reserved ip 192.168.0.1 by the ip of the machine the you want 
to permit to receive the vnc connection.

That's all, good look. 
Renato Salles

On Thu, 3 Jul 2003, Jerry McBride wrote:

> Yes, please post your discovery.
> 
> On Thu, 03 Jul 2003 17:32:46 -0300 (BRT) Renato Salles
> <rsalles@rsnetservices.com.br> wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Yesterday i posted a message asking for some examples about iptables 
> > firewall rulesets to permit vnc connection from the Internet toward an 
> > reserved (internal) address.
> > 	It's solved, and if anyone has interest about this rules, just 
> > drop me a line trough this list.
> > 
> > RSalles 
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (GNU/Linux)
> > 
> > iD8DBQE/BJL5EuTSMlK5leQRAkLzAJ9j0KDeZo61p1/nnuCkNg1k0/OqqwCgvyFk
> > +4QPDBsCJd0Oq7DZtxCRmuA=
> > =nMbs
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > VNC-List mailing list
> > VNC-List@realvnc.com
> > To remove yourself from the list visit:
> > http://www.realvnc.com/mailman/listinfo/vnc-list
> _______________________________________________
> VNC-List mailing list
> VNC-List@realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/BY97EuTSMlK5leQRAnJPAKCdIoVLCXiJnMvxOydAMw36O/R7zgCfcNoQ
gaUZNFNtjX1CKOuDNjo32U0=
=memT
-----END PGP SIGNATURE-----