Iptables Open VNC Port To Allow Incoming VNC Connections

by on July 30, 2009 · 8 comments· LAST UPDATED July 30, 2009

in , ,

How do I configure Linux system firewall to allow incoming VNC connections?

VNC server listens on the following TCP ports:

=> VNC server on display 0 will listen on TCP ports 5800, 5900 and 6000

=> VNC server on display 1 will listen on TCP ports 5801, 5901 and 6001
=> VNC server on display N will listen on TCP ports 580N, 590N and 600N

In other words a VNC server listens for a VNC client on TCP ports 5800+N, 5900+N, and 6000+N where N is the display which starts at zero. So,

  • 5800+N - Java-based vncviewer;
  • 5900+N - VNC Client Port;
  • 6000+N - X Server port.

Find Out VNC Port

Type the following command:
# netstat -tulp | grep vnc

Update /etc/sysconfig/iptables

Edit /etc/sysconfig/iptables file:
# vi /etc/sysconfig/iptables
Update it as follows:

# Open VNC for USER1
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5800  -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5900  -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6000  -j ACCEPT
# Open VNC for USER2
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5801  -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901  -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6001  -j ACCEPT

Save and close the file. Restart iptables:
# service iptables restart

A Note About Other Linux Distributions

/etc/sysconfig/iptables works only on RHEL / CentOS / Fedora Linux. For other distros update your iptables shell script as follows:

$IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5801  -j ACCEPT
$IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901  -j ACCEPT
$IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 6001  -j ACCEPT
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 8 comments… read them below or add one }

1 JonTheNiceGuy July 30, 2009 at 2:07 pm

Not to be a worry-wart, but VNC is a very insecure protocol, as it transmits your passwords in either cleartext or near-cleartext over whatever route you are taking. I would recommend using NX (whether it’s the free or proprietary version), or just tunnelling VNC over SSH as these are more likely to keep your system secure!

All the best,

JonTheNiceGuy

Reply

2 mysterious_lolita July 31, 2009 at 9:18 am

i used linux only once, but is it true that the firewall from linux is much better
that the one from windows?

Reply

3 JonTheNiceGuy July 31, 2009 at 11:50 am

It’s difficult to say that any one firewall product is better than others, because different firewall products are tailored for different purposes, however…

Microsoft Operating Systems expose more services and ports by default than pretty much any other operating system, and those ports and services which are exposed tend to have more exploits that are known about. The standard firewall which is supplied with current versions of the Microsoft operating system are tied quite closely to the OS, and as a result seems to be less cautious about what traffic it will let through.

Most Linux, Unix and Mac systems will tend to ship with no or few services enabled, so you have to explicitly start those services up in order to make your system more vulnerable.

All of this aside, there is no such thing as a completely secure computer, what you are doing is reducing your attack surface. Making sure that well known ports and services are not available (either by not enabling them, changing the port they run on, or preventing access to them with a firewall) or reducing the sources that can reach the machine (with a firewall, using tcp-wrappers), in certain cases running anti-malware and intrusion prevention software, and other such methods all help to keep you as safe as you *can be*. If you expose a vulnerable system, people will attack it eventually. Expose a more secure system, and the lazy attackers will pass you by.

Personally, I prefer Linux based operating systems because the attack surface will tend to be smaller than a Windows OS.

All the best,

JonTheNiceGuy

Reply

4 mysterious_lolita July 31, 2009 at 2:07 pm

wow, thanks for your answer, you really are a nice guy and you explained really nice here. yes, it is true that computers won’t be completely secure. I had a lot of problems with malware attacking my cumputer, i used a lot of personal firewalls ZoneAlarm, Comodo etc. and also a lot of antivirus softwares, until some of my friends recommended bitdefender with firewall and internet security integrated, i like it and i had less problems with viruses since then. it also has the anti-phishing feature on it. The firewall from windows didn’t let me to see some applications and blocked me from a lot of stuff that i wanted to see on the Internet and i disabled it. What can i say, i personally like windows because i am used with it, XP SP2, with its interface etc. and i worked also on linux and it’s also ok , but i think that linux is for more advanced users…this is what i heard.

Reply

5 JonTheNiceGuy July 31, 2009 at 2:49 pm

This probably isn’t a conversation to be had in comments at the bottom of an article about VNC :D Please feel free to drop me an e-mail to jon (at) spriggs dot org dot uk and we can talk things through further.

Reply

6 Ramadas MR October 31, 2009 at 11:42 am

Im a newbie to linux using fedora 11 please help in confuguring Real VNC N i have tried to do it as per i googled but its not working for me..

i installed tiger vnc but its doesnt create any file vncservers under /etc

so i tried real VNC where i found that conf file and edited the same..

but not working can any please help in breif wht all to do and wht all check..

Any help appreciated please do do help for me..

Regards
Ramadas MR

Reply

7 Santos May 18, 2012 at 3:02 pm

I have made the entries as specified, but when I restart iptables I can not connect. I can connect when I turn iptables off. I am running RHEL 6.2 Please advise.

output of netstat -tulp | grep vnc

tcp 0 0 *:5901 *:* LISTEN 25915/Xvnc
tcp 0 0 *:5902 *:* LISTEN 25964/Xvnc
tcp 0 0 *:5903 *:* LISTEN 26114/Xvnc
tcp 0 0 *:6001 *:* LISTEN 25915/Xvnc
tcp 0 0 *:6002 *:* LISTEN 25964/Xvnc
tcp 0 0 *:6003 *:* LISTEN 26114/Xvnc
tcp 0 0 *:6001 *:* LISTEN 25915/Xvnc
tcp 0 0 *:6002 *:* LISTEN 25964/Xvnc
tcp 0 0 *:6003 *:* LISTEN 26114/Xvnc

iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
# Open VNC for USER1
-A INPUT -m state –state NEW -m tcp -p tcp –dport 5801 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 5901 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 6001 -j ACCEPT
# Open VNC for USER2
-A INPUT -m state –state NEW -m tcp -p tcp –dport 5802 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 5902 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 6002 -j ACCEPT
# Open VNC for USER3
-A INPUT -m state –state NEW -m tcp -p tcp –dport 5803 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 5903 -j ACCEPT
-A INPUT -m state –state NEW -m tcp -p tcp –dport 6003 -j ACCEPT

Reply

8 HopeImNotLate August 2, 2012 at 12:52 am

@Santos

The iptable rules you appended are after the -j REJECT statement. You should move the VNC iptable rules above the reject line.

Reply

Leave a Comment

Tagged as: , , , , , , , , , ,

Previous Faq:

Next Faq: