Using iptables to foward vnc SOLVED-ish

Michael Hart mixstat at bigpond.net.au
Thu Sep 16 23:43:48 UTC 2004 


Brad Smith wrote:
> On Thu, 16 Sep 2004 08:41:34 -0400, Christopher K. Johnson
> <ckjohnson at gwi.net> wrote:
> 
>>Brad Smith wrote:
>>
>>
>>>The packets hit PREROUTING and FORWARD, but not INPUT or OUTPUT, as expected.
>>>All chains on the gateway ACCEPT by default
>>>The firewall on the client and vnc server is down
>>>
>>>
>>
>>With iptables forwarded packets would not hit the INPUT or OUTPUT
>>chains.  That was only true of ipchains.
> 
> 
> I should have phrased that better. I meant that I didn't expect the
> packets to hit INPUT or OUTPUT and they didn't. =:)
>  
> 
>>Given Kenneth's observation about interfaces I would double-check the
>>address in the nat rule, and I would verify that the interface
>>connecting to the vnc server is correctly addressed and masked to
>>include that address.  My guess is that one of those is wrong and the gw
>>is trying to deliver the nat'd packets via its default gateway.
> 
> 
> Well, here's an interesting development. It turns out that everything
> works fine if the client is on the other side of the gateway from the
> server. It's only connections between two internal machines that break
> and I think I just figured out why.
> 
> Iptables is actually doing its job perfectly: when the client sends a
> request to the server it is forwarded to the vnc server. The vnc
> server recieves the vnc client's SYN packet and responds with a
> SYN/ACK. But the client is expecting a response from the gateway, not
> the vnc server and so responds with an RST instead of an ACK. Repeat
> ad infinitum.
> 
> So basically, for this to work we'd need to do both DNAT for the
> redirection and SNAT to keep the response from confusing the client.
> As far as I know there's no way to do that with a single rule but,
> just out of curiosity, I'd love to hear if anyone has ideas.

How is any internet connection working through the gateway without SNAT 
or MASQUERADE?  I thought this was required for all protocols?

Basically any connection going out from an internal machine would have 
to be SNATed to your real internet address so the box at the other end 
knows the right internet (not lan) source IP to send responses to.

More information about the users mailing list