* Access VNC Server via DNAT
@ 2003-09-20 13:56 Joel Pearson
2003-09-22 8:02 ` Venkatesh. K
2003-09-23 1:28 ` Mark E. Donaldson
0 siblings, 2 replies; 4+ messages in thread
From: Joel Pearson @ 2003-09-20 13:56 UTC (permalink / raw)
To: netfilter
Hey,
I have a vnc server that is on my local lan at home that I'd like to be able
to access from the internet via my internet gateway linux box. I've read a
little bit about it but I can't get my gateway to forward to ports, I've
tried this:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5904 -s 192.168.0.2 -j
DNAT --to 192.168.0.25:5904
But it says it can't connect to the server. At the moment I'm just trying to
get the port forwarding to work on my local lan, but it doesn't seem to be
working. I've read of people haveing this working using a somewhat similar
iptables command, is there some module I'm supposed to load to make this
happen? My server is running RedHat 8 with iptables v1.2.6a
Does anyone know why this isn't working?
Thanks
Joel
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Access VNC Server via DNAT
2003-09-20 13:56 Access VNC Server via DNAT Joel Pearson
@ 2003-09-22 8:02 ` Venkatesh. K
2003-09-22 12:06 ` Joel Pearson
2003-09-23 1:28 ` Mark E. Donaldson
1 sibling, 1 reply; 4+ messages in thread
From: Venkatesh. K @ 2003-09-22 8:02 UTC (permalink / raw)
To: Joel Pearson; +Cc: netfilter
----- Original Message -----
From: "Joel Pearson" <pearj@writeme.com>
To: <netfilter@lists.netfilter.org>
Sent: Saturday, September 20, 2003 7:26 PM
Subject: Access VNC Server via DNAT
> Hey,
>
> I have a vnc server that is on my local lan at home that I'd like to be
able
> to access from the internet via my internet gateway linux box. I've read
a
> little bit about it but I can't get my gateway to forward to ports, I've
> tried this:
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5904 -s
192.168.0.2 -j
> DNAT --to 192.168.0.25:5904
If your internet interface is eth0, you need to do
/sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5904 -j
DNAT --to-destination 192.168.0.25
Please note the above rule will allow you to connect only from internet.
> But it says it can't connect to the server. At the moment I'm just trying
to
> get the port forwarding to work on my local lan, but it doesn't seem to be
> working. I've read of people haveing this working using a somewhat similar
> iptables command, is there some module I'm supposed to load to make this
> happen? My server is running RedHat 8 with iptables v1.2.6a
>
> Does anyone know why this isn't working?
>
> Thanks
>
> Joel
>
Venkatesh K
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Access VNC Server via DNAT
2003-09-22 8:02 ` Venkatesh. K
@ 2003-09-22 12:06 ` Joel Pearson
0 siblings, 0 replies; 4+ messages in thread
From: Joel Pearson @ 2003-09-22 12:06 UTC (permalink / raw)
To: netfilter
Hey,
Thanks for your help, I managed to get it working in the end, one of my
problems as you said was that the rule only worked from the internet (when I
was testing at home), and I somehow managed to screw my firewall rules so
that when I tried the DNAT thing at work and tried to access from home it
was dropping packets.
Restarted iptables then everything was happy, so I don't really know how
long it was actually working for, but its working now so I'm happy :-)
Thanks
Joel
"Venkatesh. K" <venkatesh@cbayscribe.com> wrote in message
news:012d01c380e0$0b35f120$2800a8c0@karu...
> ----- Original Message -----
> From: "Joel Pearson" <pearj@writeme.com>
> To: <netfilter@lists.netfilter.org>
> Sent: Saturday, September 20, 2003 7:26 PM
> Subject: Access VNC Server via DNAT
>
>
> > Hey,
> >
> > I have a vnc server that is on my local lan at home that I'd like to be
> able
> > to access from the internet via my internet gateway linux box. I've
read
> a
> > little bit about it but I can't get my gateway to forward to ports, I've
> > tried this:
> > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5904 -s
> 192.168.0.2 -j
> > DNAT --to 192.168.0.25:5904
>
> If your internet interface is eth0, you need to do
> /sbin/iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5904 -j
> DNAT --to-destination 192.168.0.25
>
> Please note the above rule will allow you to connect only from internet.
>
> > But it says it can't connect to the server. At the moment I'm just
trying
> to
> > get the port forwarding to work on my local lan, but it doesn't seem to
be
> > working. I've read of people haveing this working using a somewhat
similar
> > iptables command, is there some module I'm supposed to load to make this
> > happen? My server is running RedHat 8 with iptables v1.2.6a
> >
> > Does anyone know why this isn't working?
> >
> > Thanks
> >
> > Joel
> >
>
> Venkatesh K
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: Access VNC Server via DNAT
2003-09-20 13:56 Access VNC Server via DNAT Joel Pearson
2003-09-22 8:02 ` Venkatesh. K
@ 2003-09-23 1:28 ` Mark E. Donaldson
1 sibling, 0 replies; 4+ messages in thread
From: Mark E. Donaldson @ 2003-09-23 1:28 UTC (permalink / raw)
To: Joel Pearson, netfilter
Other than connection tracking, if you are using stateful, there are not any
special modules needed. I will also add, allowing VNC to penetrate the
firewall is not the best of ideas, but very possible to do it securely if
you are smart and crafty about it. Here are a couple of thoughts which
should help you. First, confirm what port your VNC server is Listening on.
The VNC port range is: VNC_PORTS="5900:5910". So, take a look at this.
Having said that, it will also take a minimum of two rules to penetrate the
firewall. 1) DNAT correct listening port through to the correct server as
you have done with:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 59xx -s 192.168.0.2 -j
DNAT --to 192.168.0.25:59xx
That's only half of it. You must then accept the packet once it is has been
DNATTED, such as:
$IPT -t filter -A FORWARD -i $FW_INET_IFACE -p tcp --destination-port
$VNC_PORTS -m state --state NEW -j LOG --log-prefix "ACCEPT INBOUND VNC: "
$IPT -t filter -A FORWARD -i $FW_INET_IFACE -p tcp --destination-port
$VNC_PORTS -m state --state NEW -j ACCEPT
$IPT -t filter -A FORWARD -o $FW_INET_IFACE -p tcp --destination-port
$VNC_PORTS -m state --state NEW -j LOG --log-prefix "ACCEPT OUTBOUND VNC: "
$IPT -t filter -A FORWARD -o $FW_INET_IFACE -p tcp --destination-port
$VNC_PORTS -m state --state NEW -j ACCEPT
Additionally, if you are using connection tracking, you must ACCEPT as
ESTABLISHED and RELATED as well. Hope this helps.
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org]On Behalf Of Joel Pearson
Sent: Saturday, September 20, 2003 6:57 AM
To: netfilter@lists.netfilter.org
Subject: Access VNC Server via DNAT
Hey,
I have a vnc server that is on my local lan at home that I'd like to be able
to access from the internet via my internet gateway linux box. I've read a
little bit about it but I can't get my gateway to forward to ports, I've
tried this:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 5904 -s 192.168.0.2 -j
DNAT --to 192.168.0.25:5904
But it says it can't connect to the server. At the moment I'm just trying to
get the port forwarding to work on my local lan, but it doesn't seem to be
working. I've read of people haveing this working using a somewhat similar
iptables command, is there some module I'm supposed to load to make this
happen? My server is running RedHat 8 with iptables v1.2.6a
Does anyone know why this isn't working?
Thanks
Joel
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2003-09-23 1:28 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-09-20 13:56 Access VNC Server via DNAT Joel Pearson
2003-09-22 8:02 ` Venkatesh. K
2003-09-22 12:06 ` Joel Pearson
2003-09-23 1:28 ` Mark E. Donaldson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox