Re: Using iptables to foward vnc SOLVED-ish

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Brad Smith wrote:

On Thu, 16 Sep 2004 08:41:34 -0400, Christopher K. Johnson
<ckjohnson@xxxxxxx> wrote:


Brad Smith wrote:



The packets hit PREROUTING and FORWARD, but not INPUT or OUTPUT, as expected.
All chains on the gateway ACCEPT by default
The firewall on the client and vnc server is down




With iptables forwarded packets would not hit the INPUT or OUTPUT
chains. That was only true of ipchains.



I should have phrased that better. I meant that I didn't expect the
packets to hit INPUT or OUTPUT and they didn't. =:)



Given Kenneth's observation about interfaces I would double-check the
address in the nat rule, and I would verify that the interface
connecting to the vnc server is correctly addressed and masked to
include that address. My guess is that one of those is wrong and the gw
is trying to deliver the nat'd packets via its default gateway.



Well, here's an interesting development. It turns out that everything
works fine if the client is on the other side of the gateway from the
server. It's only connections between two internal machines that break
and I think I just figured out why.

Iptables is actually doing its job perfectly: when the client sends a
request to the server it is forwarded to the vnc server. The vnc
server recieves the vnc client's SYN packet and responds with a
SYN/ACK. But the client is expecting a response from the gateway, not
the vnc server and so responds with an RST instead of an ACK. Repeat
ad infinitum.

So basically, for this to work we'd need to do both DNAT for the
redirection and SNAT to keep the response from confusing the client.
As far as I know there's no way to do that with a single rule but,
just out of curiosity, I'd love to hear if anyone has ideas.


I have two ideas.
Since both systems are on the inside (on the same network) they should not involve the gateway in the process at all.

Based on your description of what is occurring the client is attempting to reach the public address of the vnc server, not the private address.  You need to modify your private dns server entry, or if you do not have one, well that should really be fixed by creating one.  Having a split dns configuration is one of the things that makes public/private access to servers much smoother.  And it allows you to make hosts on the private network aware of all the other private servers that are not known publicly.

Chris

--
-----------------------------------------------------------
  "Spend less!  Do more!  Go Open Source..." -- Dirigo.net
  Chris Johnson, RHCE #807000448202021


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux