Using iptables to foward vnc SOLVED-ish
Brad Smith
usernamenumber at gmail.com
Thu Sep 16 23:26:20 UTC 2004
On Thu, 16 Sep 2004 08:41:34 -0400, Christopher K. Johnson
<ckjohnson at gwi.net> wrote:
> Brad Smith wrote:
>
> >The packets hit PREROUTING and FORWARD, but not INPUT or OUTPUT, as expected.
> >All chains on the gateway ACCEPT by default
> >The firewall on the client and vnc server is down
> >
> >
> With iptables forwarded packets would not hit the INPUT or OUTPUT
> chains. That was only true of ipchains.
I should have phrased that better. I meant that I didn't expect the
packets to hit INPUT or OUTPUT and they didn't. =:)
> Given Kenneth's observation about interfaces I would double-check the
> address in the nat rule, and I would verify that the interface
> connecting to the vnc server is correctly addressed and masked to
> include that address. My guess is that one of those is wrong and the gw
> is trying to deliver the nat'd packets via its default gateway.
Well, here's an interesting development. It turns out that everything
works fine if the client is on the other side of the gateway from the
server. It's only connections between two internal machines that break
and I think I just figured out why.
Iptables is actually doing its job perfectly: when the client sends a
request to the server it is forwarded to the vnc server. The vnc
server recieves the vnc client's SYN packet and responds with a
SYN/ACK. But the client is expecting a response from the gateway, not
the vnc server and so responds with an RST instead of an ACK. Repeat
ad infinitum.
So basically, for this to work we'd need to do both DNAT for the
redirection and SNAT to keep the response from confusing the client.
As far as I know there's no way to do that with a single rule but,
just out of curiosity, I'd love to hear if anyone has ideas.
---Brad
More information about the fedora-list
mailing list