[Shorewall-newbies] DNAT problems

Tom Eastep teastep at shorewall.net
Thu Feb 5 15:58:16 PST 2004


On Thursday 05 February 2004 02:59 pm, Tim Meadows wrote:
> Tom Eastep <teastep at shorewall.net> writes:
> >Odd then that the RealVNC FAQ includes this
> >(http://www.realvnc.com/faq.html#port):
> >
> >"Can I make the VNC server listen on a different port number rather than
> >5900?"
> >
> >Sounds like you've succeeded...
>
> I only succeeded from INTERNAL.  I cannot get it to connect from the
> outside.
> Also, I tried adding the 5400 to the rules as Dark Ryder said, it didn't
> work either.

Ok. I've done a bit of experimenting here and have now caught up with what you 
are trying to do. I haven't used the viewer in listening mode before.

The VNC server listens on ports 5800 and 5900 (display 0). The VNC Viewer in 
Listen mode listens on ports 5400 and 5500.

If I attach the listening viewer from my server, I see only a single TCP 
connection on port 5500 (sorry for the folding):

[root at ursa init.d]# netstat -tnap | fgrep 192.168.1.7
tcp        0      0 192.168.1.5:5500        192.168.1.7:4854        
ESTABLISHED 3923/vncviewer
[root at ursa init.d]#

192.168.1.7 is the IP address of the server. 192.168.1.5 is the local IP 
address where the vncviewer is running.

As far as Shorewall is concerned, it looks like you are doing everything 
correctly with your single DNAT rule. That rule should support a vncviewer in 
listening mode running on 10.10.10.193 with VNC servers in the "net" zone 
connecting to that viewer.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list