[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

VNC to Windows Machine Through IPTables?

Posted on 2004-11-22
4
Medium Priority
?
666 Views
Last Modified: 2012-06-21
I have a linux machine with IPTables running asa mutli-home NAT/Firewall. On the local side of this, there is a windows box which i need to give access to to a development team in India.

I am currently forwarding port 5900 and port 22 to this windows machine. However connection are being refused by the TightVNC server.

Is there a special way in which I need to configure the TightVNC Viewer, the TightVNC server, or the iptables NAT/Firewall in order make this connection happen?

Basically, I need to connect from Windows to Remote Windows, with Linux in betweee.

Any help would be greatly appreciated. This is a time critical operation.
0
Comment
Question by:inkfreq
  • 2
4 Comments
 
LVL 97

Expert Comment

by:Lee W, MVP
ID: 12649558
How do I use VNC through my firewall? [read NAT as well]
Many organisations operate firewalls to reduce the risk of intrusion by malicious attackers via the Internet. These firewalls typically operate by only allowing connections in to machines in that organisation on specific ports. Which ports are permitted access depends upon the network protocol that uses the port and the degree of security it provides. VNC servers can accept incoming connections through firewalls in two main ways. Although the first is usually the simplest to arrange, we recommend using the SSH tunnelling method wherever VNC is to be used over an untrusted network such as the Internet.

    * Opening Ports - The simplest way to allow VNC connections in through your firewall is to configure your firewalling software to allow connections to the VNC ports. If N is the display number of a particular VNC server then it will accept connections on port 5900+N. Configuring your firewall to allow connections to this port will allow VNC to work. If you wish to use the in-built web server and Java VNC Viewer then you will also need to allow connections to port 5800+N. Unfortunately, because VNC traffic is not encrypted, this approach weakens the security provided by your firewall, and so is not advisable.
    * Secure Tunnelling - Most organisations that operate firewalls allow connections to a number of standard ports, that are in principle used only by secure or harmless protocols. While VNC in its present incarnation is not suitably secure for this to be advisable, it can be "tunnelled" through a secure protocol layer to achieve the same effect. The Secure Shell (SSH) protocol is one example of such a wrapper, and is one which most firewalls allow access through. The Secure Shell client is run on the VNC client computer and is made to forward connections to a particular port on that machine to a port on the VNC server machine. The forwarded connection is encrypted by the SSH software, which can provide both encryption and authentication. For more details on how to do this, see here.
0
 

Author Comment

by:inkfreq
ID: 12650000
Given that I already explained that my port forwarding appraoch was failing, and that this reply contains a line which says "For more details on hot to do this, see here." but no link at all...  I really don't see how this information was at all helpful, Im sorry.

I need to figure out why I cannot connect to a TightVNC server from a TightVNC viewer through an iptables firewall. This seemed to be more of an explanation of what firewalls are and why they work the way they do, rather than a starting place for figuring out the connection problem.
0
 
LVL 9

Accepted Solution

by:
e-tsik earned 1500 total points
ID: 12651913
Hi :-)

Are you able to connect via the local network to that VNC server?
If this is only one machine, find out what your IP address is in 'ipconfig' and try to telnet your machine on port 5900:

telnet a.b.c.d 5900
(replace a.b.c.d with your IP address).

If you get 'connect failed', then your VNC server isn't running on port 5900.
If you get something like this

RFB 003.006

Then your VNC is properly configured and it's probably a NAT/Firewall problem.
Your next step would be to check your iptables configuration.

If you use the REJECT target on your iptables configuration, then I would try issueing
iptables -F
(that clears the access control list, but leaves NAT active)
If you are able to connect afterwards, then this is an access control issue. If you still aren't, then check your 'iptables -t nat' rules.

DO NOT ATTEMPT TO CHECK CONNECTIVITY FROM WITHIN THE LOCAL NETWORK

Enjoy!
0
 

Author Comment

by:inkfreq
ID: 12757845
While this answer didn't quite cover what I needed to know, it did give me some very solid jumping points to getting the problem fixed. Thanks.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses
Course of the Month19 days, 1 hour left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question