Hi, Yes, this is correct. I have just configured my system to be accessable from outside, but I used browser control so I atomatically assumed same situation here. My mistake. Yes, I am running VNC server on a Windows box behind Linux firewall. Rudolf -----Original Message----- From: Michael Scully [mailto:agentscully@xxxxxxxxxxxxxxxxxxxxxx] Sent: Friday, June 25, 2004 9:37 AM To: 'General Red Hat Linux discussion list' Subject: RE: iptables - port redirection - VNC Rudolph: Port 5800 and up are for browser based control. The native VNC client uses the 5900 and up sockets. But beware of the port sequences. Using VNC on Linux gives you virtual X sessions, and they normally start with session 1 since session 0 is the console. The access ports are 5900 PLUS the session. So the first virtual X session will listen on port 5901, second on 5902, etc. 5901 is the port you need exposed in the router pinhole, assuming you have VNC hosting session 1. If you run VNC server on a Windows box, the concept of virtual sessions isn't used, so there is only a base 0 session. It's interactive with the desktop users, so you can both interact with the keyboard, mouse, etc. So if you're trying to access a Windows machine remote, it IS port 5900 for the pinhole. Scully -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Rudolf Ladyzhenskii Sent: Thursday, June 24, 2004 3:36 PM To: General Red Hat Linux discussion list Subject: RE: iptables - port redirection - VNC You have to do port 5800 as well Rudolf -----Original Message----- From: GK [mailto:guskasus@xxxxxxxxxxxx] Sent: Friday, June 25, 2004 2:19 AM To: General Red Hat Linux discussion list Subject: RE: iptables - port redirection - VNC Thanks Nathaniel! I put this lines but I still can not connect to my PC`s inside. I add "-t nat" to the first line because it give me a error. It`s ok? Do you have another idea? GusKa. El jue, 24 de 06 de 2004 a las 12:17, Nathaniel Hall escribió: > Just by scanning over it pretty quickly, this is what I would do. > > $IPTABLES -A PREROUTING -d $PUBLICIP -p tcp -m tcp --dport 5900 -j DNAT > --to-destination 192.168.10.79:5900 > $IPTABLES -A FORWARD -d 192.168.10.79 -p tcp -m tcp --dport 5900 -j ACCEPT > $IPTABLES -A PREROUTING -d $PUBLICIP -p tcp -m tcp --dport 80 -j DNAT > --to-destination 192.168.10.80:80 > $IPTABLES -A FORWARD -d 192.168.10.80 -p tcp -m tcp --dport 80 -j ACCEPT > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~ > Nathaniel Hall > Intrusion Detection and Firewall Technician > Ozarks Technical Community College -- Office of Computer Networking > 417-799-0552 > > > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] > On Behalf Of GK > Sent: Thursday, June 24, 2004 10:06 AM > To: redhat-list@xxxxxxxxxx > Subject: iptables - port redirection - VNC > > Hi, I am newbie in iptables. I must be do something bad. Are there a > expert in iptables? Sure! > I need do port redirection from outside (internet) to inside (one > especific PC). But the packets from Internet to my public IP (port 5900) > are DROPed. > I need access via VNC from Internet to LAN inside and another ports > (8080). These are a few lines from my script to configure iptables. > > Somebody can help me, please? > Does anyone have any ideas? > Thanks in advance, > > GusKa. > > --------------------- > > # eth0 local interface to Internet. > # eth1 local interface to private LAN. > # ppp0 > > #PRIVATE= private LAN > #EXTINT= Outside interface > #INTINT= Inside Interface > #EXTPPP= Outside public Interface > #PUBLICIP= My Public IP > > > PRIVATE=192.168.10.0/24 > EXTINT=eth0 > INTINT=eth1 > EXTPPP=ppp0 > PUBLICIP=201.254.205.12 > LOOP=127.0.0.1 > > $IPTABLES -P OUTPUT ACCEPT > $IPTABLES -P INPUT DROP > $IPTABLES -P FORWARD DROP > > > # NAT to Outside. > $IPTABLES -t nat -A POSTROUTING -s $PRIVATE -p tcp -o $EXTPPP -j SNAT > --to $PUBLICIP > > > $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT > > # VNC to PC inside (private LAN) > $IPTABLES -A PREROUTING -t nat -p tcp -d $PUBLICIP --dport 5900 -j DNAT > --to 192.168.10.79:5900 > $IPTABLES -A FORWARD -i $EXTINT -o $INTINT -p tcp --dport 5900 -m state > --state NEW,ESTABLISHED,RELATED -j ACCEPT > # HTTP 8080 to server inside httpd > $IPTABLES -A PREROUTING -t nat -p tcp -d $PUBLICIP --dport 8080 -j DNAT > --to 192.168.10.80:80 > $IPTABLES -A FORWARD -i $EXTINT -o $INTINT -p tcp --dport 8080 -m state > --state NEW,ESTABLISHED,RELATED -j ACCEPT > > # www, dns, smtp are open > $IPTABLES -A INPUT -p tcp --dport http -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport 443 -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport smtp -j ACCEPT > $IPTABLES -A INPUT -p tcp --dport domain -j ACCEPT > $IPTABLES -A INPUT -p udp --dport domain -j ACCEPT > > > # Masquerading rule > $IPTABLES -A INPUT -s $PRIVATE -m state --state NEW -j ACCEPT > $IPTABLES -A OUTPUT -s $PRIVATE -m state --state NEW -j ACCEPT > $IPTABLES -A FORWARD -s $PRIVATE -m state --state NEW -j ACCEPT > > > # All in loopack > $IPTABLES -A INPUT -i lo -j ACCEPT > $IPTABLES -A OUTPUT -o lo -j ACCEPT > > > # All in private LAN > $IPTABLES -A INPUT -i $INTINT -j ACCEPT > $IPTABLES -A FORWARD -i $INTINT -j ACCEPT > > $IPTABLES -A INPUT -j DROP > $IPTABLES -A FORWARD -j DROP > > > > > echo 1 > /proc/sys/net/ipv4/ip_forward > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
