VNC to Windows Machine Through IPTables?

Posted on 2004-11-22
Last Modified: 2012-06-21
I have a linux machine with IPTables running asa mutli-home NAT/Firewall. On the local side of this, there is a windows box which i need to give access to to a development team in India.

I am currently forwarding port 5900 and port 22 to this windows machine. However connection are being refused by the TightVNC server.

Is there a special way in which I need to configure the TightVNC Viewer, the TightVNC server, or the iptables NAT/Firewall in order make this connection happen?

Basically, I need to connect from Windows to Remote Windows, with Linux in betweee.

Any help would be greatly appreciated. This is a time critical operation.
Question by:inkfreq
    LVL 95

    Expert Comment

    by:Lee W, MVP
    How do I use VNC through my firewall? [read NAT as well]
    Many organisations operate firewalls to reduce the risk of intrusion by malicious attackers via the Internet. These firewalls typically operate by only allowing connections in to machines in that organisation on specific ports. Which ports are permitted access depends upon the network protocol that uses the port and the degree of security it provides. VNC servers can accept incoming connections through firewalls in two main ways. Although the first is usually the simplest to arrange, we recommend using the SSH tunnelling method wherever VNC is to be used over an untrusted network such as the Internet.

        * Opening Ports - The simplest way to allow VNC connections in through your firewall is to configure your firewalling software to allow connections to the VNC ports. If N is the display number of a particular VNC server then it will accept connections on port 5900+N. Configuring your firewall to allow connections to this port will allow VNC to work. If you wish to use the in-built web server and Java VNC Viewer then you will also need to allow connections to port 5800+N. Unfortunately, because VNC traffic is not encrypted, this approach weakens the security provided by your firewall, and so is not advisable.
        * Secure Tunnelling - Most organisations that operate firewalls allow connections to a number of standard ports, that are in principle used only by secure or harmless protocols. While VNC in its present incarnation is not suitably secure for this to be advisable, it can be "tunnelled" through a secure protocol layer to achieve the same effect. The Secure Shell (SSH) protocol is one example of such a wrapper, and is one which most firewalls allow access through. The Secure Shell client is run on the VNC client computer and is made to forward connections to a particular port on that machine to a port on the VNC server machine. The forwarded connection is encrypted by the SSH software, which can provide both encryption and authentication. For more details on how to do this, see here.

    Author Comment

    Given that I already explained that my port forwarding appraoch was failing, and that this reply contains a line which says "For more details on hot to do this, see here." but no link at all...  I really don't see how this information was at all helpful, Im sorry.

    I need to figure out why I cannot connect to a TightVNC server from a TightVNC viewer through an iptables firewall. This seemed to be more of an explanation of what firewalls are and why they work the way they do, rather than a starting place for figuring out the connection problem.
    LVL 9

    Accepted Solution

    Hi :-)

    Are you able to connect via the local network to that VNC server?
    If this is only one machine, find out what your IP address is in 'ipconfig' and try to telnet your machine on port 5900:

    telnet a.b.c.d 5900
    (replace a.b.c.d with your IP address).

    If you get 'connect failed', then your VNC server isn't running on port 5900.
    If you get something like this

    RFB 003.006

    Then your VNC is properly configured and it's probably a NAT/Firewall problem.
    Your next step would be to check your iptables configuration.

    If you use the REJECT target on your iptables configuration, then I would try issueing
    iptables -F
    (that clears the access control list, but leaves NAT active)
    If you are able to connect afterwards, then this is an access control issue. If you still aren't, then check your 'iptables -t nat' rules.



    Author Comment

    While this answer didn't quite cover what I needed to know, it did give me some very solid jumping points to getting the problem fixed. Thanks.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
    Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now