Can't connect to VNC server

19,252

The answer lay in my failure to understand iptables - and particularly what the output from sudo iptables -L meant...

When I instead ran sudo iptables -S, I was presented with a much fuller description of each rule, and it was obvious then that there wasn't a suitable INPUT rule that was allowing tcp traffic on 5901 (or any of the other ports I was looking at) through. Then the final INPUT rule, which was essentially rejecting everything that didn't match a rule, was collecting this traffic and rejecting it. The rule that I thought should have been ACCEPTing the traffic applied only to the lo interface (loopback).

I ran this: sudo iptables -I INPUT 7 -s 192.168.1.0/24 -i enp37s0 -j ACCEPT

That's basically inserting a rule at line 7 of the INPUT chain, and telling it to ACCEPT any traffic from the 192.168.1.0/24 subnet arriving on the ethernet port.

The next challenge is getting iptables-persistent to actually work on reboot!!

Share:
19,252

Related videos on Youtube

Adam-the-Kiwi
Author by

Adam-the-Kiwi

Updated on September 18, 2022

Comments

  • Adam-the-Kiwi
    Adam-the-Kiwi 4 months

    Hoping your collective brain power can assist me...

    tl;dr - Ubuntu server seems to have several ports open none can be seen by the outside (LAN) world - WTF is going on?

    Longer:

    I have a headless 17.04 server to which I'd like to connect using VNC, but I'm struggling at the moment. I'm using two clients - both Windows 10, one using RealVNC, one using TightVNC.

    I've set up TightVNC server on my Ubuntu machine, mostly following the instructions at https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-16-04, intending to run Xfce as a desktop:

    $ sudo apt install xfce4 xfce4-goodies tightvncserver
    

    I've changed the xstartup file to:

    #!/bin/bash
    xrdb $HOME/.Xresources
    startxfce4 &
    

    And granted executable privilege.

    If I start the server using tightvncserver I get:

    New 'X' desktop is numbersix:1
    
    Starting applications specified in /home/adam/.vnc/xstartup
    Log file is /home/adam/.vnc/numbersix:1.log
    

    nmap localhost gives:

    Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-09 21:05 GMT
    Nmap scan report for localhost (127.0.0.1)
    Host is up (0.000076s latency).
    Other addresses for localhost (not scanned): ::1
    Not shown: 986 closed ports
    PORT     STATE SERVICE
    22/tcp   open  ssh
    53/tcp   open  domain
    80/tcp   open  http
    111/tcp  open  rpcbind
    139/tcp  open  netbios-ssn
    445/tcp  open  microsoft-ds
    631/tcp  open  ipp
    5901/tcp open  vnc-1
    6001/tcp open  X11:1
    8000/tcp open  http-alt
    8001/tcp open  vcom-tunnel
    8010/tcp open  xmpp
    8080/tcp open  http-proxy
    9091/tcp open  xmltec-xmlmail
    

    nmap 192.168.1.6 gives the same result.

    I set the server as a systemd service - created /etc/systemd/system/[email protected] with this content:

    [Unit]
    Description=Start TightVNC server at startup
    After=syslog.target network.target
    
    [Service]
    Type=forking
    User=adam
    PAMName=login
    PIDFile=/home/adam/.vnc/%H:%i.pid
    ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
    ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i
    ExecStop=/usr/bin/vncserver -kill :%i
    
    [Install]
    WantedBy=multi-user.target
    

    Then started the service with

    $ sudo systemctl daemon-reload
    $ sudo systemctl enable [email protected]
    $ sudo systemctl start [email protected]
    

    All seems to work. sudo systemctl status [email protected] gives:

    [email protected] - Start TightVNC server at startup
       Loaded: loaded (/etc/systemd/system/[email protected]; enabled; vendor preset: enabled)
       Active: active (running) since Thu 2017-11-09 21:38:13 GMT; 6s ago
      Process: 3924 ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :1 (code=exited, status=0/SUCCESS)
      Process: 3916 ExecStartPre=/usr/bin/vncserver -kill :1 > /dev/null 2>&1 (code=exited, status=2)
     Main PID: 3937 (Xtightvnc)
        Tasks: 0 (limit: 4915)
       CGroup: /system.slice/system-vncserver.slice/[email protected]
               ‣ 3937 Xtightvnc :1 -desktop X -auth /home/adam/.Xauthority -geometry 
    1280x800 -depth 24 -rfbwait 120000 -rfbauth /h
    
    Nov 09 21:38:12 numbersix systemd[1]: Starting Start TightVNC server at startup...
    Nov 09 21:38:12 numbersix systemd[3916]: pam_unix(login:session): session opened for user adam by (uid=0)
    Nov 09 21:38:12 numbersix systemd[3924]: pam_unix(login:session): session opened for user adam by (uid=0)
    Nov 09 21:38:13 numbersix systemd[1]: Started Start TightVNC server at startup.
    

    telnet localhost 5901 seems to connect OK:

    Trying ::1...
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    RFB 003.008
    

    And sudo netstat -nlpt | grep :59 gives:

    tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN      3937/Xtightvnc
    

    But, telnet numbersix 5901 and telnet 192.168.1.6 (from Windows) fail with:

    Could not open connection to the host, on port 5901: Connect failed
    

    And neither RealVNC nor TightVNC will connect (using hostname or IP). Ping works on both Windows hosts with IP or hostname. Also couldn't connect from Ubuntu laptop. Again, can ping. I can ssh without issues. sudo nmap numbersix from the Ubuntu laptop gives:

    Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-10 12:50 GMT
    Nmap scan report for numbersix (192.168.1.6)
    Host is up (0.0032s latency).
    Not shown: 997 filtered ports
    PORT     STATE SERVICE
    22/tcp   open  ssh
    8000/tcp open  http-alt
    8001/tcp open  vcom-tunnel
    MAC Address: 60:45:CB:64:2B:C8 (Unknown)
    
    Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds
    

    The INPUT, FORWARD and OUTPUT chains from sudo iptables -L on the server are:

    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    ACCEPT     all  --  anywhere             anywhere
    INPUT_direct  all  --  anywhere             anywhere
    INPUT_ZONES_SOURCE  all  --  anywhere             anywhere
    INPUT_ZONES  all  --  anywhere             anywhere
    DROP       all  --  anywhere             anywhere             ctstate INVALID
    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
    ACCEPT     all  --  192.168.122.0/24     anywhere
    ACCEPT     all  --  anywhere             anywhere
    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
    DOCKER-USER  all  --  anywhere             anywhere
    DOCKER-ISOLATION  all  --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    DOCKER     all  --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
    ACCEPT     all  --  anywhere             anywhere
    FORWARD_direct  all  --  anywhere             anywhere
    FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere
    FORWARD_IN_ZONES  all  --  anywhere             anywhere
    FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere
    FORWARD_OUT_ZONES  all  --  anywhere             anywhere
    DROP       all  --  anywhere             anywhere             ctstate INVALID
    REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
    OUTPUT_direct  all  --  anywhere             anywhere
    

    So I think that suggests that iptables is blocking nothing...

    Can anyone help me diagnose the problem, please?

    • steeldriver
      steeldriver about 5 years
      I think that nmap localhost says open provided the service is listening on the loopback interface - it doesn't tell you that it's listening on the external interface. So what does telnet localhost 5901 say - or, looked at the other way, what does sudo netstat -nlpt | grep :59 show in the Local Address field?
    • steeldriver
      steeldriver about 5 years
      Thanks - the results look fine to me. Are you sure you don't have an outbound rule in your Windows firewall that is blocking the connection? Have you tried telnet from Windows using the IP address? FWIW you're probably going to want to tunnel the connection over SSH anyway if you're using it over a public network, so it may not be worth banging your head against this.
    • Adam-the-Kiwi
      Adam-the-Kiwi about 5 years
      Hi steeldriver - I'll add some more detail to the post, but: - no, not sure, but I can't access it from a xenial laptop either, and that doesn't have anything in iptables; - telnet using the ip address from Windows and xenial all fail with similar errors; - nmap from xenial shows only ports 22, 8000 and 8001 open; - iptables on the server indicate that the ports are open; - for the moment, I'm only looking to access on LAN; - honestly, the issue is less about VNC and more about 'what the foxtrot-uniform-charlie-kilo is going on with my server'! I'm astounded sometimes how little I know.