VNC to Windows Machine Through IPTables?

I have a linux machine with IPTables running asa mutli-home NAT/Firewall. On the local side of this, there is a windows box which i need to give access to to a development team in India.

I am currently forwarding port 5900 and port 22 to this windows machine. However connection are being refused by the TightVNC server.

Is there a special way in which I need to configure the TightVNC Viewer, the TightVNC server, or the iptables NAT/Firewall in order make this connection happen?

Basically, I need to connect from Windows to Remote Windows, with Linux in betweee.

Any help would be greatly appreciated. This is a time critical operation.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Lee W, MVPTechnology and Business Process AdvisorCommented:
How do I use VNC through my firewall? [read NAT as well]
Many organisations operate firewalls to reduce the risk of intrusion by malicious attackers via the Internet. These firewalls typically operate by only allowing connections in to machines in that organisation on specific ports. Which ports are permitted access depends upon the network protocol that uses the port and the degree of security it provides. VNC servers can accept incoming connections through firewalls in two main ways. Although the first is usually the simplest to arrange, we recommend using the SSH tunnelling method wherever VNC is to be used over an untrusted network such as the Internet.

    * Opening Ports - The simplest way to allow VNC connections in through your firewall is to configure your firewalling software to allow connections to the VNC ports. If N is the display number of a particular VNC server then it will accept connections on port 5900+N. Configuring your firewall to allow connections to this port will allow VNC to work. If you wish to use the in-built web server and Java VNC Viewer then you will also need to allow connections to port 5800+N. Unfortunately, because VNC traffic is not encrypted, this approach weakens the security provided by your firewall, and so is not advisable.
    * Secure Tunnelling - Most organisations that operate firewalls allow connections to a number of standard ports, that are in principle used only by secure or harmless protocols. While VNC in its present incarnation is not suitably secure for this to be advisable, it can be "tunnelled" through a secure protocol layer to achieve the same effect. The Secure Shell (SSH) protocol is one example of such a wrapper, and is one which most firewalls allow access through. The Secure Shell client is run on the VNC client computer and is made to forward connections to a particular port on that machine to a port on the VNC server machine. The forwarded connection is encrypted by the SSH software, which can provide both encryption and authentication. For more details on how to do this, see here.
inkfreqAuthor Commented:
Given that I already explained that my port forwarding appraoch was failing, and that this reply contains a line which says "For more details on hot to do this, see here." but no link at all...  I really don't see how this information was at all helpful, Im sorry.

I need to figure out why I cannot connect to a TightVNC server from a TightVNC viewer through an iptables firewall. This seemed to be more of an explanation of what firewalls are and why they work the way they do, rather than a starting place for figuring out the connection problem.
Hi :-)

Are you able to connect via the local network to that VNC server?
If this is only one machine, find out what your IP address is in 'ipconfig' and try to telnet your machine on port 5900:

telnet a.b.c.d 5900
(replace a.b.c.d with your IP address).

If you get 'connect failed', then your VNC server isn't running on port 5900.
If you get something like this

RFB 003.006

Then your VNC is properly configured and it's probably a NAT/Firewall problem.
Your next step would be to check your iptables configuration.

If you use the REJECT target on your iptables configuration, then I would try issueing
iptables -F
(that clears the access control list, but leaves NAT active)
If you are able to connect afterwards, then this is an access control issue. If you still aren't, then check your 'iptables -t nat' rules.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
inkfreqAuthor Commented:
While this answer didn't quite cover what I needed to know, it did give me some very solid jumping points to getting the problem fixed. Thanks.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.