VNC and IPTABLES
I am using IPTALES packet filtering with NAT. I have a VNC server running on my LAN to which external users connect over the internet. I am using DNAT on the PREROUTING chain with the following rule
iptables -t nat -A PREROUTING -p tcp -d x.x.x.x -j DNAT --to-destination y.y.y.y
iptables -A FORWARD -p tcp -i eth0 -d y.y.y.y -j ACCEPT
x.x.x.x -- is my external interface
y.y.y.y -- is my VNC machine's IP on my LAN
Now, I would like to:
1. Restrict the external users the IP from which they come in, so that they my server accepts VNC requests only from that IP.
2. On what tcp port does VNC work... so that i can specify --dport values also
any help would be most welcome
It depends if your VNC server is linux or windows.
VNC server for windows starts on TCP/5900, and TCP/5800 for the Java web client interface. On linux, default is TCP/5901 and TCP/5801.
Is your input table set to a default of "allow" or "reject"?
if reject, use:
if its "allow" then use:
iptables -A INPUT -p tcp --destination-port 590x --source x.x.x.x/xx -j ACCEPT
replace the "x" part of 590x with either 1 or 0 depending on windows or linux VNC server. The x.x.x.x/xx is a CIDR if you want to allow a range of ipaddresses, eg, 192.168.0.0/24 would allow anything on the 192.168.0.x network to connect. if you know just a specific IP address, just use that, eg: "... --source ! 192.168.0.214 ....".
iptables -A INPUT -p tcp --destination-port 590x --source ! x.x.x.x/xx -j DROP
Anything coming in should then be dropped if not from the IP address specified.
Thanks for the reply, but I need one more help. I would like to restrict the user on my LAN from using yahoo messenger, MSN messenger, ICQ, mIRC and other chats.
All you have to do is block the ports like this:
replacing the interface, protocol and destination port(s) as necessary.
iptables -A OUTPUT -o eth0 -p tcp --dport 6667 -j DROP
A list of programs/protocols and their registered port numbers can be found here: http://www.iana.org/assignments/port-numbers