VNC Proxy

[tincboy]

Hello,
I've two internet based server ( xx.xx.xx.xx and yy.yy.yy.yy )
The Y server is running VNC server and is responsible for answering to VNC sessions.

But I need to hide the IP of Y server so I want X server to be as VNC Proxy and redirect all VNC sessions to Y server.

I guess the best way is to use iptables but actually I can't get it working so any suggestion about iptables rules is welcomed.

Regards

[chaosless]

one simple way is to use ssh to establish the tunnel - for example for vnc display :2 on your server_x you can do:

Code:

ssh -L xx.xx.xx.xx:5902:localhost:5902 server_y

if you have vnc running on server_y then connections to server_x will use that tunnel transparently. things like DISPLAY in the vnc session will point to localhost instead of yy.yy.yy.yy - doesn't completely obfuscate that ip but is an easy start.

[tincboy]

one simple way is to use ssh to establish the tunnel - for example for vnc display :2 on your server_x you can do:

Code:

ssh -L xx.xx.xx.xx:5902:localhost:5902 server_y

if you have vnc running on server_y then connections to server_x will use that tunnel transparently. things like DISPLAY in the vnc session will point to localhost instead of yy.yy.yy.yy - doesn't completely obfuscate that ip but is an easy start.

Thanks, but I believe this is not a secure way.

[chaosless]

you need to be more clear about what you consider security then - or are not asking the actual question to which you want an answer. the answer i've given you is a production solution in many financial institutions and has undergone significant security audits.

given that you are intending on opening up a vnc session to the machine in the first place, then using encrypted traffic, and obfuscating the VNC server ip from any connection you allow is your best step towards being secure. the only real issue with that approach is that you expose the ip address of server_x - which was in your original request.

a further option is to originate the ssh tunnel on a 3rd machine - which would be the ONLY ip address you expose - and have it offer the VNC connection tunneling THROUGH your server_x to server_y.

by offering vnc connectivity to the machine at all, you're making an inherent choice about security to the machine. this way at least the traffic is thoroughly encyrpted, the tunnel can only be setup with permissions to your secured servers - this you can lock down to require key-based security and entirely disable password authentication for ssh access.

thereby reducing your security exposure to your vnc passwords and the permissions of account under which you start the vncserver on your server_y


to go further, you need to setup 1 or 2 dmz networks - and reverse proxy.

[tincboy]

you need to be more clear about what you consider security then - or are not asking the actual question to which you want an answer. the answer i've given you is a production solution in many financial institutions and has undergone significant security audits.

given that you are intending on opening up a vnc session to the machine in the first place, then using encrypted traffic, and obfuscating the VNC server ip from any connection you allow is your best step towards being secure. the only real issue with that approach is that you expose the ip address of server_x - which was in your original request.

a further option is to originate the ssh tunnel on a 3rd machine - which would be the ONLY ip address you expose - and have it offer the VNC connection tunneling THROUGH your server_x to server_y.

by offering vnc connectivity to the machine at all, you're making an inherent choice about security to the machine. this way at least the traffic is thoroughly encyrpted, the tunnel can only be setup with permissions to your secured servers - this you can lock down to require key-based security and entirely disable password authentication for ssh access.

thereby reducing your security exposure to your vnc passwords and the permissions of account under which you start the vncserver on your server_y


to go further, you need to setup 1 or 2 dmz networks - and reverse proxy.

Thanks, I've changed my mind,
But if it was possible to use simply iptables or a proxy server ( like apache ) that would be great.