Using iptables to foward vnc
Brad Smith
usernamenumber at gmail.com
Thu Sep 16 03:01:39 UTC 2004
Hello,
I am a bit confoosed here. I want to forward a vnc connection using
iptables. I know about ssh forwarding, but security is not as big a
priority as speed and simplicy for the person on the client-end are in
this case.
On my fw gateway, which does NAT with no problems, I ran:
iptables -t nat -I PREROUTING -p tcp --dport 5801 -J DNAT --to-dest x.x.x.x
...where x.x.x.x is the IP of my internal vnc server.
Connecting to the vnc server (via tightvnc's java/web-browser
interface) from within the local network works fine. But anyone who
goes through the gateway gets an ICMP Destination Unreachable.
I set up some logging rules to check, and here's what I can say pretty
positively:
The packets hit PREROUTING and FORWARD, but not INPUT or OUTPUT, as expected.
All chains on the gateway ACCEPT by default
The firewall on the client and vnc server is down
Here's an example log entry:
>From PREROUTING
IN=eth0 OUT= MAC=xxxxxxx SRC=vnc-client-ip DST=nat-gw-ip LEN=48
TOS=0x00 PREC=0x00 TTL=128 ID=31247 DF PROTO=TCP SPT=1612 DPT=5801
WINDOW=65535 RES=0x00 SYN URGP=0
>From FORWARD
IN=eth0 OUT=eth0 SRC=vnc-client-ip DST=vnc-server-ip LEN=48 TOS=0x00
PREC=0x00 TTL=127 ID=31276 DF PROTO=TCP SPT=1612 DPT=5801 WINDOW=65535
RES=0x00 SYN URGP=0
I guess I must just be missing something. If anyone has a suggestion,
I'd love to hear it.
--Brad
More information about the fedora-list
mailing list