Can't connect to VNC server

server 17.04 remote-desktop vnc tightvncserver

19,252

The answer lay in my failure to understand iptables - and particularly what the output from sudo iptables -L meant...

When I instead ran sudo iptables -S, I was presented with a much fuller description of each rule, and it was obvious then that there wasn't a suitable INPUT rule that was allowing tcp traffic on 5901 (or any of the other ports I was looking at) through. Then the final INPUT rule, which was essentially rejecting everything that didn't match a rule, was collecting this traffic and rejecting it. The rule that I thought should have been ACCEPTing the traffic applied only to the lo interface (loopback).

I ran this: sudo iptables -I INPUT 7 -s 192.168.1.0/24 -i enp37s0 -j ACCEPT

That's basically inserting a rule at line 7 of the INPUT chain, and telling it to ACCEPT any traffic from the 192.168.1.0/24 subnet arriving on the ethernet port.

The next challenge is getting iptables-persistent to actually work on reboot!!

19,252

Adam-the-Kiwi

Updated on September 18, 2022

Comments

Adam-the-Kiwi over 1 year

Hoping your collective brain power can assist me...

tl;dr - Ubuntu server seems to have several ports open none can be seen by the outside (LAN) world - WTF is going on?

Longer:

I have a headless 17.04 server to which I'd like to connect using VNC, but I'm struggling at the moment. I'm using two clients - both Windows 10, one using RealVNC, one using TightVNC.

I've set up TightVNC server on my Ubuntu machine, mostly following the instructions at https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-16-04, intending to run Xfce as a desktop:

$ sudo apt install xfce4 xfce4-goodies tightvncserver

I've changed the xstartup file to:

#!/bin/bash
xrdb $HOME/.Xresources
startxfce4 &

And granted executable privilege.

If I start the server using tightvncserver I get:

New 'X' desktop is numbersix:1

Starting applications specified in /home/adam/.vnc/xstartup
Log file is /home/adam/.vnc/numbersix:1.log

nmap localhost gives:

Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-09 21:05 GMT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000076s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 986 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
631/tcp  open  ipp
5901/tcp open  vnc-1
6001/tcp open  X11:1
8000/tcp open  http-alt
8001/tcp open  vcom-tunnel
8010/tcp open  xmpp
8080/tcp open  http-proxy
9091/tcp open  xmltec-xmlmail

nmap 192.168.1.6 gives the same result.

I set the server as a systemd service - created /etc/systemd/system/[email protected] with this content:

[Unit]
Description=Start TightVNC server at startup
After=syslog.target network.target

[Service]
Type=forking
User=adam
PAMName=login
PIDFile=/home/adam/.vnc/%H:%i.pid
ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i
ExecStop=/usr/bin/vncserver -kill :%i

[Install]
WantedBy=multi-user.target

Then started the service with

$ sudo systemctl daemon-reload
$ sudo systemctl enable [email protected]
$ sudo systemctl start vncserver@1

All seems to work. sudo systemctl status vncserver@1 gives:

● [email protected] - Start TightVNC server at startup
   Loaded: loaded (/etc/systemd/system/[email protected]; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2017-11-09 21:38:13 GMT; 6s ago
  Process: 3924 ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :1 (code=exited, status=0/SUCCESS)
  Process: 3916 ExecStartPre=/usr/bin/vncserver -kill :1 > /dev/null 2>&1 (code=exited, status=2)
 Main PID: 3937 (Xtightvnc)
    Tasks: 0 (limit: 4915)
   CGroup: /system.slice/system-vncserver.slice/[email protected]
           ‣ 3937 Xtightvnc :1 -desktop X -auth /home/adam/.Xauthority -geometry 
1280x800 -depth 24 -rfbwait 120000 -rfbauth /h

Nov 09 21:38:12 numbersix systemd[1]: Starting Start TightVNC server at startup...
Nov 09 21:38:12 numbersix systemd[3916]: pam_unix(login:session): session opened for user adam by (uid=0)
Nov 09 21:38:12 numbersix systemd[3924]: pam_unix(login:session): session opened for user adam by (uid=0)
Nov 09 21:38:13 numbersix systemd[1]: Started Start TightVNC server at startup.

telnet localhost 5901 seems to connect OK:

Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
RFB 003.008

And sudo netstat -nlpt | grep :59 gives:

tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN      3937/Xtightvnc

But, telnet numbersix 5901 and telnet 192.168.1.6 (from Windows) fail with:

Could not open connection to the host, on port 5901: Connect failed

And neither RealVNC nor TightVNC will connect (using hostname or IP). Ping works on both Windows hosts with IP or hostname. Also couldn't connect from Ubuntu laptop. Again, can ping. I can ssh without issues. sudo nmap numbersix from the Ubuntu laptop gives:

Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-10 12:50 GMT
Nmap scan report for numbersix (192.168.1.6)
Host is up (0.0032s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
8000/tcp open  http-alt
8001/tcp open  vcom-tunnel
MAC Address: 60:45:CB:64:2B:C8 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds

The INPUT, FORWARD and OUTPUT chains from sudo iptables -L on the server are:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
INPUT_direct  all  --  anywhere             anywhere
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere
INPUT_ZONES  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
FORWARD_direct  all  --  anywhere             anywhere
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere
FORWARD_IN_ZONES  all  --  anywhere             anywhere
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere
FORWARD_OUT_ZONES  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
OUTPUT_direct  all  --  anywhere             anywhere

So I think that suggests that iptables is blocking nothing...

Can anyone help me diagnose the problem, please?

steeldriver over 6 years

I think that nmap localhost says open provided the service is listening on the loopback interface - it doesn't tell you that it's listening on the external interface. So what does telnet localhost 5901 say - or, looked at the other way, what does sudo netstat -nlpt | grep :59 show in the Local Address field?
steeldriver over 6 years

Thanks - the results look fine to me. Are you sure you don't have an outbound rule in your Windows firewall that is blocking the connection? Have you tried telnet from Windows using the IP address? FWIW you're probably going to want to tunnel the connection over SSH anyway if you're using it over a public network, so it may not be worth banging your head against this.
Adam-the-Kiwi over 6 years

Hi steeldriver - I'll add some more detail to the post, but: - no, not sure, but I can't access it from a xenial laptop either, and that doesn't have anything in iptables; - telnet using the ip address from Windows and xenial all fail with similar errors; - nmap from xenial shows only ports 22, 8000 and 8001 open; - iptables on the server indicate that the ports are open; - for the moment, I'm only looking to access on LAN; - honestly, the issue is less about VNC and more about 'what the foxtrot-uniform-charlie-kilo is going on with my server'! I'm astounded sometimes how little I know.