[wplug] iptables, port forwarding and vnc.
Brandon Kuczenski
brandon at 301south.net
Wed Mar 3 22:20:25 EST 2004
On Wed, 3 Mar 2004, John Harrold wrote:
> i'm trying to forward ports on our gateway running linux to the windows
> machine so that someone running vnc from the outside can use it.
>
>
> External Interface: eth0
> Internal Interface: eth1
>
>
> PSERVER="123.123.123.123" #external interface eth0
> PGW="192.168.0.1" #internal interface eth1
> LOCNET="192.168.0.0/24"
> WINDOWS="192.168.0.3" #windows machine
>
>
> # so i have the following to forward ports 5800 and 5900 which i read vnc uses
> # i read that the following would forward the ports i need.
>
> $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d $PSERVER --dport 5800 -j DNAT --to-destination $WINDOWS:5800
> $IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --sport 1024:65535 -d $WINDOWS --dport 5800 -m state --state NEW -j ACCEPT
> $IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --sport 1024:65535 -d $PSERVER --dport 5900 -j DNAT --to-destination $WINDOWS:5900
> $IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --sport 1024:65535 -d $WINDOWS --dport 5900 -m state --state NEW -j ACCEPT
>
> this doesn't seem to be working, since i'm not too swift at this kind of
> thing does anyone see any problems with this?
>
>
>
On a security note, mightn't it be wiser to tunnel the connection through
SSH, instead? I'm not sure if VNC encrypts passwords or not. It would
sure suck to give the world a cleartext password to control your machine.
That's what I do, so my only responsive ports are 22, 25, and 80.
-Brandon
More information about the wplug
mailing list