On Mon, Nov 29, 2004 at 04:51:54PM -0800, Nick wrote:
> Hi,
>
> I want to do something relatively simple, but have not been able to
> figure out from the manual or playing with it how to achieve what I
> want.
>
> I have a server which I can only connect to via port 80, due to a
> firewall. I want to connect to VNC on the server, and connect to it
> via a VNC client my laptop. VNC server only wants to run on port 5900.
> I'm not running an HTTP server on 80, so no prob there. I want to
> forward packets coming into the server on port 80 to the VNC on 5900.
>
> I tried doing this:
> /sbin/iptables -A FORWARD -p tcp --dport 80 -j ACCEPT
you're changing the dport to 5900 in NAT PREROUTING--your filter rule
should reflect that fact.
> /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT
> --to 127.0.0.1:5900
you can't DNAT to 127.0.0.1--search the list archives for the nearly
8000 messages on this topic.
> But the VNC client hangs for a while before timing out when I try to
> connect to it.
>
> Ideas on how to achieve the desired result?
# redirect tcp 80 -> 5900
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
-j REDIRECT --to-port 5900
# allow stateful replies
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow connections to tcp 5900
iptables -A INPUT -i eth0 -p tcp --syn --dport 5900 -j ACCEPT
you then need to tell your VNC client to connect to:
$SERVERIP:-5820
the port number is calculated by: 5900 + DISPLAY_NUMBER
to get it to connect to port 80: 5900 + (-)5820 = 80
-j
--
"Okay, retrace your steps. Woke up, fought with Marge, ate Guatemalan
insanity peppers, then I... Oh..."
--The Simpsons
