Firewall piercing (solved)

Renato Salles rsalles@rsnetservices.com.br
Mon Jul 7 04:37:00 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hetal, 

I did already sent the settings to the firewall piercing to the 
list, please check my previous message sended to Mr. Jerry McBride.
And, yes, you mus know the firewall settings at you server, and yes it's 
better if yourself, you're the admin of this server or have an agreement 
with him, if it is not the case where you are the network manager.
Just in the case you skeeped the message i'm writing about:
<messsage_begin>
- From rsalles@rsnetservices.com.br Mon Jul  7 00:32:20 2003
Date: Fri, 4 Jul 2003 11:30:09 -0300 (BRT)
From: Renato Salles <rsalles@rsnetservices.com.br>
To: Jerry McBride <mcbrides9@comcast.net>
Cc: vnc-list@realvnc.com
Subject: Re: Firewall piercing (solved)

- --[PinePGP]--------------------------------------------------[begin]--
OK, here we go...
First, we're using RedHat 9.0 here, so, if you're using Slack or something
different, adapt it to your distro.
I inserted at the very biginning of the /etc/rc.d/init.d/iptables file,
the following vars:
VNC_PORTS="5900:5999"
IPT="/sbin/iptables"
INET_IFACE="eth1"
# This is the Internet interface The outside one of the firewall

Insert one more related to java connections troug the browser if you use
it. The ports are 5800:5899. Restrict the number of ports if you want.
Late, near the end, before your POSTROUTING chain (here, it was something
like: "$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE"
So, before this ruleset add the following:
##############
$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port \
	$VNC_PORTS -j DNAT --to-destination 192.168.0.1:$VNC_PORTS
$IPT -A FORWARD -p tcp -i $INET_IFACE -d 192.168.0.1:$VNC_PORTS
##############

Replace the reserved ip 192.168.0.1 by the ip of the machine the you want
to permit to receive the vnc connection.

That's all, good look.
Renato Salles

On Thu, 3 Jul 2003, Jerry McBride wrote:

> Yes, please post your discovery.
>
> On Thu, 03 Jul 2003 17:32:46 -0300 (BRT) Renato Salles
> <rsalles@rsnetservices.com.br> wrote:
(deleted pgp stuuf and maillist info)
<message_end>

On Sun, 6 Jul 2003, Hetal Patel wrote:

> Yes I am interested too! You would have to know the firewall settings of the intranet ... rite?
> 
> Jerry McBride <mcbrides9@comcast.net> wrote:
> Yes, please post your discovery.
> 
> On Thu, 03 Jul 2003 17:32:46 -0300 (BRT) Renato Salles
> wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Yesterday i posted a message asking for some examples about iptables 
> > firewall rulesets to permit vnc connection from the Internet toward an 
> > reserved (internal) address.
> > It's solved, and if anyone has interest about this rules, just 
> > drop me a line trough this list.
> > 
> > RSalles 
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (GNU/Linux)
> > 
> > iD8DBQE/BJL5EuTSMlK5leQRAkLzAJ9j0KDeZo61p1/nnuCkNg1k0/OqqwCgvyFk
> > +4QPDBsCJd0Oq7DZtxCRmuA=
> > =nMbs
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > VNC-List mailing list
> > VNC-List@realvnc.com
> > To remove yourself from the list visit:
> > http://www.realvnc.com/mailman/listinfo/vnc-list
> _______________________________________________
> VNC-List mailing list
> VNC-List@realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE/COrXEuTSMlK5leQRAi3VAKCEpiWOg34QDM4aINexydLUOz7clgCeKLuC
U+nKdv93UgqqdlS/Bx+QlbE=
=F7/j
-----END PGP SIGNATURE-----