Using iptables to foward vnc SOLVED-ish

Christopher K. Johnson ckjohnson at gwi.net
Fri Sep 17 00:35:12 UTC 2004 

Brad Smith wrote:

>On Thu, 16 Sep 2004 08:41:34 -0400, Christopher K. Johnson
><ckjohnson at gwi.net> wrote:
>  
>
>>Brad Smith wrote:
>>
>>    
>>
>>>The packets hit PREROUTING and FORWARD, but not INPUT or OUTPUT, as expected.
>>>All chains on the gateway ACCEPT by default
>>>The firewall on the client and vnc server is down
>>>
>>>
>>>      
>>>
>>With iptables forwarded packets would not hit the INPUT or OUTPUT
>>chains.  That was only true of ipchains.
>>    
>>
>
>I should have phrased that better. I meant that I didn't expect the
>packets to hit INPUT or OUTPUT and they didn't. =:)
> 
>  
>
>>Given Kenneth's observation about interfaces I would double-check the
>>address in the nat rule, and I would verify that the interface
>>connecting to the vnc server is correctly addressed and masked to
>>include that address.  My guess is that one of those is wrong and the gw
>>is trying to deliver the nat'd packets via its default gateway.
>>    
>>
>
>Well, here's an interesting development. It turns out that everything
>works fine if the client is on the other side of the gateway from the
>server. It's only connections between two internal machines that break
>and I think I just figured out why.
>
>Iptables is actually doing its job perfectly: when the client sends a
>request to the server it is forwarded to the vnc server. The vnc
>server recieves the vnc client's SYN packet and responds with a
>SYN/ACK. But the client is expecting a response from the gateway, not
>the vnc server and so responds with an RST instead of an ACK. Repeat
>ad infinitum.
>
>So basically, for this to work we'd need to do both DNAT for the
>redirection and SNAT to keep the response from confusing the client.
>As far as I know there's no way to do that with a single rule but,
>just out of curiosity, I'd love to hear if anyone has ideas.
>  
>
I have two ideas.
Since both systems are on the inside (on the same network) they should 
not involve the gateway in the process at all.

Based on your description of what is occurring the client is attempting to reach the public address of the vnc server, not the private address.  You need to modify your private dns server entry, or if you do not have one, well that should really be fixed by creating one.  Having a split dns configuration is one of the things that makes public/private access to servers much smoother.  And it allows you to make hosts on the private network aware of all the other private servers that are not known publicly.

Chris

-- 
-----------------------------------------------------------
   "Spend less!  Do more!  Go Open Source..." -- Dirigo.net
   Chris Johnson, RHCE #807000448202021

More information about the fedora-list mailing list