Well I''m trying to setup my mandrake 9.1 with shorewall so I can access the VNC servers on the LAN. I have a 3 interface setup. I tried this first: DNAT net loc:192.168.2.2 5900 I''m using putty (windows ssh client) to connect as I''m connecting from work. Well it isn''t working. I then looked at the mailing-list and there are different solutions and I''m not sure what to use and what actually works. There''s a reply from Tom saying something like "accept fw loc tcp 5900". The confusing part is that some people use DNAT and they say it''s working for them. Could it be my putty setup or my rules setup is wrong? Thank you. Jayel -- ____________________________________________ http://www.operamail.com Get OperaMail Premium today - USD 29.99/year Powered by Outblaze
By using the DNAT line, you''re simply opening up your VNC server to the world on the outside interface''s address. If you''re using ssh: ACCEPT net:[address] fw tcp ssh (I use the [address] part to place your work server''s IP address and keep others out) Then, if you''re using port forwarding, you need to be sure that it''s allowed in your sshd config. VNC will use ports 5900-59xx so, display 1 will be on 5901 etc. Check that material out and see what happens. On Tue, 15 Apr 2003 18:03:15 +0900 "Jayel Villamin " <jarthel@operamail.com> opened up to us and said:> Well I''m trying to setup my mandrake 9.1 with shorewall so I can > access the VNC servers on the LAN. I have a 3 interface setup. > > I tried this first: > > DNAT net loc:192.168.2.2 5900 > > I''m using putty (windows ssh client) to connect as I''m connecting from > work. > > Well it isn''t working. > > I then looked at the mailing-list and there are different solutions > and I''m not sure what to use and what actually works. > > There''s a reply from Tom saying something like > "accept fw loc tcp 5900". > > The confusing part is that some people use DNAT and they say it''s > working for them. > > Could it be my putty setup or my rules setup is wrong? > > Thank you. > > Jayel > -- > ____________________________________________ > http://www.operamail.com > Get OperaMail Premium today - USD 29.99/year > > > Powered by Outblaze > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- Paul Slinski System Administrator Global IQX http://www.globaliqx.com/ pauls@globaliqx.com [ The information transmitted is intended only for the addressee ] [ and may contain confidential, proprietary and/or privileged ] [ material. Any unauthorized review, distribution or other use ] [ of or the taking of any action in reliance upon this information ] [ is prohibited. If you received this in error, please contact the ] [ sender and delete or destroy this message and any copies. ]
Sorry for this reply as it''s "out of place". I haven''t used mailing lists for years. :) --------------------------------- Anyway, I read Paul''s reply but I''m clarification on 2 things. "Then, if you''re using port forwarding, you need to be sure that it''sallowed in your sshd config." I had a look at /etc/ssh/sshd_config. I can''t find anything that resembles port forwarding. I looked at "man sshd"and nothing there. Is Paul suggesting that I don''t use "DNAT"? It seems DNAT and the ssh method are two methods of VNCing. Thanks Jayel _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web!
Maybe to clarify: The DNAT entry he had in the rules file will open up his server without the need for ssh. Unfortunate for him that it also opens it to the world (please use an IP restriction). Example: DNAT net loc:192.168.x.x tcp - 5900 That creates a wide open VNC server which you can connect directly to via vnc-viewer. DNAT net:x.x.x.x loc:192.168.x.x tcp - 5900 Restricts access to the port to x.x.x.x as well as opening it up for the end user from address x.x.x.x Now, if you''re using ssh to connect to the firewall, you do not need this entry. You can use ssh''s port forwarding feature while connected to the firewall. (from ''man sshd_config'') AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is ``yes''''. Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. The default is yes. If the VNC server is on 192.168.x.x then the firewall has to be allowed to talk to the local machine (this is only if you''re using ssh forwarding). ACCEPT fw loc:192.168.x.x tcp 5900 -P On Tue, 15 Apr 2003 10:13:26 -0400 (EDT) "Jayel" <jarthel@excite.com> opened up to us and said:> Sorry for this reply as it''s "out of place". I haven''t used mailing > lists for years. :) --------------------------------- Anyway, I read > Paul''s reply but I''m clarification on 2 things. "Then, if you''re > using port forwarding, you need to be sure that it''sallowed in your > sshd config." I had a look at /etc/ssh/sshd_config. I can''t find > anything that resembles port forwarding. I looked at "man sshd"and > nothing there. Is Paul suggesting that I don''t use "DNAT"? It seems > DNAT and the ssh method are two methods of VNCing. Thanks Jayel > > _______________________________________________ > Join Excite! - http://www.excite.com > The most personalized portal on the Web! > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- Paul Slinski System Administrator Global IQX http://www.globaliqx.com/ pauls@globaliqx.com [ The information transmitted is intended only for the addressee ] [ and may contain confidential, proprietary and/or privileged ] [ material. Any unauthorized review, distribution or other use ] [ of or the taking of any action in reliance upon this information ] [ is prohibited. If you received this in error, please contact the ] [ sender and delete or destroy this message and any copies. ]
On Tue, 15 Apr 2003, Paul Slinski wrote:> > ACCEPT fw loc:192.168.x.x tcp 5900 >And in all cases, the port number will only be 5900 if you are trying to connect to display 0. Connecting to display 1 requires port 5901, display 2 requires 5902, etc. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Right, I''m just assuming he''s using display :0 since that''s all he specified ;-) On Tue, 15 Apr 2003 07:44:13 -0700 (PDT) Tom Eastep <teastep@shorewall.net> opened up to us and said:> On Tue, 15 Apr 2003, Paul Slinski wrote: > > > > > ACCEPT fw loc:192.168.x.x tcp 5900 > > > > And in all cases, the port number will only be 5900 if you are trying > to connect to display 0. > > Connecting to display 1 requires port 5901, display 2 requires 5902, > etc. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ teastep@shorewall.net > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- Paul Slinski System Administrator Global IQX http://www.globaliqx.com/ pauls@globaliqx.com [ The information transmitted is intended only for the addressee ] [ and may contain confidential, proprietary and/or privileged ] [ material. Any unauthorized review, distribution or other use ] [ of or the taking of any action in reliance upon this information ] [ is prohibited. If you received this in error, please contact the ] [ sender and delete or destroy this message and any copies. ]
Thanks Paul for the clarification. :) I''ll try it tomorrow when I''m at work. :) Jayel _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web!
On Tue, Apr 15, 2003 at 06:03:15PM +0900, Jayel Villamin wrote: #Jayel Villamin > Well I''m trying to setup my mandrake 9.1 with shorewall so I can access the VNC servers on the LAN. I have a 3 interface setup. #Jayel Villamin > #Jayel Villamin > I tried this first: #Jayel Villamin > #Jayel Villamin > DNAT net loc:192.168.2.2 5900 #Jayel Villamin > #Jayel Villamin > I''m using putty (windows ssh client) to connect as I''m connecting from work. #Jayel Villamin > #Jayel Villamin > Well it isn''t working. #Jayel Villamin > #Jayel Villamin > I then looked at the mailing-list and there are different solutions and I''m not sure what to use and what actually works. #Jayel Villamin > #Jayel Villamin > There''s a reply from Tom saying something like #Jayel Villamin > "accept fw loc tcp 5900". #Jayel Villamin > #Jayel Villamin > The confusing part is that some people use DNAT and they say it''s working for them. #Jayel Villamin > #Jayel Villamin > Could it be my putty setup or my rules setup is wrong? Your mandrake box is what your connecting to via putty? putty will have nothing to do with the connection. A VNC Viewer is needed to connect to a VNC server. On shorewall you need to setup a DNAT rule to the host running the VNC server and make sure the host rnning the VNC Server has its default GW set to the server running shorewall. Then youll connect the viewer to the port DNAT''d on the mandrake box. You may also find this intresting http://freshmeat.net/projects/vnc-reflector/?topic_id=71%2C253 Cheers, Eric.
Your post has been classified as Spam: X-Spam-Status: Yes, hits=6.9 tagged_above=0.0 required=6.8 tests=ASCII_FORM_ENTRY, HTML_00_10, HTML_FONT_COLOR_NAME, HTML_MESSAGE, RCVD_FAKE_HELO_DOTCOM_2, RCVD_IN_RFCI Please post in plain text -- this is explained at http://www.shorewall.net/support.htm. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
I just tried Paul''s suggestion. I have the following rules ACCEPT net fw tcp ssh ACCEPT fw loc:192.168.1.2 tcp 5900 I have setup putty according to the various putty/VNC guides I found in google. When I tried to connect using VNC and the host is "localhost:0", I don''t get anything. vncviewer just suddenly quits. I checked the task manager in windows and it''s not listed. I know to vnc to other windows PC here at work and it works. any ideas? thanks ----------------------------------------- Message: 11 Date: Tue, 15 Apr 2003 10:34:36 -0400 From: Paul Slinski Subject: Re: [Shorewall-users] VNC question To: shorewall-users@lists.shorewall.net Message-ID: <20030415103436.6d7b973e.pauls@globaliqx.com> Content-Type: text/plain; charset=US-ASCII Maybe to clarify: The DNAT entry he had in the rules file will open up his server without the need for ssh. Unfortunate for him that it also opens it to the world (please use an IP restriction). Example: DNAT net loc:192.168.x.x tcp - 5900 That creates a wide open VNC server which you can connect directly to via vnc-viewer. DNAT net:x.x.x.x loc:192.168.x.x tcp - 5900 Restricts access to the port to x.x.x.x as well as opening it up for the end user from address x.x.x.x Now, if you''re using ssh to connect to the firewall, you do not need this entry. You can use ssh''s port forwarding feature while connected to the firewall. (from ''man sshd_config'') AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is ``yes''''. Note that disabling TCP forwarding does not improve security unless users are also denied shell access, as they can always install their own forwarders. The default is yes. If the VNC server is on 192.168.x.x then the firewall has to be allowed to talk to the local machine (this is only if you''re using ssh forwarding). ACCEPT fw loc:192.168.x.x tcp 5900 -P _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web!