Find the answer to your Linux question:
Results 1 to 4 of 4
HI gurus, I am using IPTALES packet filtering with NAT. I have a VNC server running on my LAN to which external users connect over the internet. I am using ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2003
    Location
    India
    Posts
    3

    VNC and IPTABLES


    HI gurus,

    I am using IPTALES packet filtering with NAT. I have a VNC server running on my LAN to which external users connect over the internet. I am using DNAT on the PREROUTING chain with the following rule

    iptables -t nat -A PREROUTING -p tcp -d x.x.x.x -j DNAT --to-destination y.y.y.y
    iptables -A FORWARD -p tcp -i eth0 -d y.y.y.y -j ACCEPT

    x.x.x.x -- is my external interface
    y.y.y.y -- is my VNC machine's IP on my LAN

    Now, I would like to:
    1. Restrict the external users the IP from which they come in, so that they my server accepts VNC requests only from that IP.
    2. On what tcp port does VNC work... so that i can specify --dport values also

    any help would be most welcome

    regds

  2. #2
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284
    It depends if your VNC server is linux or windows.

    VNC server for windows starts on TCP/5900, and TCP/5800 for the Java web client interface. On linux, default is TCP/5901 and TCP/5801.

    Is your input table set to a default of "allow" or "reject"?

    if reject, use:
    Code:
    iptables -A INPUT -p tcp --destination-port 590x --source x.x.x.x/xx -j ACCEPT
    if its "allow" then use:
    Code:
    iptables -A INPUT -p tcp --destination-port 590x --source ! x.x.x.x/xx -j DROP
    replace the "x" part of 590x with either 1 or 0 depending on windows or linux VNC server. The x.x.x.x/xx is a CIDR if you want to allow a range of ipaddresses, eg, 192.168.0.0/24 would allow anything on the 192.168.0.x network to connect. if you know just a specific IP address, just use that, eg: "... --source ! 192.168.0.214 ....".

    Anything coming in should then be dropped if not from the IP address specified.

    Jason

  3. #3
    Just Joined!
    Join Date
    Jun 2003
    Location
    India
    Posts
    3
    hi jaguar,

    Thanks for the reply, but I need one more help. I would like to restrict the user on my LAN from using yahoo messenger, MSN messenger, ICQ, mIRC and other chats.

    thanx.
    Mahesh

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682
    All you have to do is block the ports like this:

    Code:
    iptables -A OUTPUT -o eth0 -p tcp --dport 6667 -j DROP
    replacing the interface, protocol and destination port(s) as necessary.

    A list of programs/protocols and their registered port numbers can be found here: http://www.iana.org/assignments/port-numbers
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •