Note: These instructions do not include VNC over SSH. Comments on improving
this are welcome.
1. Go to System Settings > Servger Settings > Services, and put a checkbox
in 'vncserver'.
2. Start your vncserver from a terminal using the following command:
vncserver :1
(note: this puts it on port 5901. :0 would set it to port 5900, :2 would
set it to 5902, :3 to 5903, etc.)
2a. The first time, it will ask you for a password to connect to the
desktop. Enter a password (you can always change it later with the terminal
command 'vncpassword') .
4. ensure xvnc is actually running: either by using the 'top' command in a
terminal window to search for a running instance, or, click away from
'vncserver' in the services window and then back on it to see if it's shown
as running.
5. Check to see what port vnc is running on (should be 5901 if you indicated
:1) by entering the following in a terminal window, but let's double check:
netstat -ln
----------------
Now comes the tricky part. I'm going to assume your machine has iptables set
up somewhere; iptables are meant to firewall the system.
6. Check to see how your iptables are set up with the following terminal
command:
iptables -nvL
If you do not have iptables set up (as in, nothing is returned), you
probably should add iptables; download the latest package and install.
Ours is set up in the following manner, please note that YOURS MAY BE
DIFFERENT:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
4108 439K RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
0
0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0
0
0.0.0/0
Chain OUTPUT (policy ACCEPT 3409 packets, 377K bytes)
pkts bytes target prot opt in out source
destination
Chain RH-Firewall-1-INPUT (2 references)
pkts bytes target prot opt in out source
destination
3084 335K ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0
icmp type 255
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ACCEPT ah -- * * 0.0.0.0/0
0.0.0.0/0
803 67244 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0
state NEW tcp dpt:25
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0
state NEW tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0
state NEW tcp dpt:21
1 40 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0
state NEW tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0
state NEW tcp dpt:7886
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0
state NEW tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0
state NEW tcp dpt:2401
220 36934 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0
reject-with icmp-host-prohibited
Note this chain:
Chain RH-Firewall-1-INPUT (2 references)
We need to insert an ACCEPT for port 5901 to allow 5901 through (our INPUT
into the firewall). We will do this with the following command:
iptables -I RH-Firewall-1-INPUT -m state --state NEW -p tcp
--destination-port 5901 -j ACCEPT
(If you did not set your vncserver to :1 initially, make sure you use
the correct --destination-port for your setup, ie. 5902 for :2)
What this is telling us:
-I RH-Firewall-1-INPUT = INSERT at top of iptable RH-Firewall-1-INPUT
(defaults to first row).
-A will add, but as the last rule in the chain - chains work from
top to bottom; a packet goes down the chain only until it finds a matching
rule; then it follows that rule without ever looking at subsequent rules
(with a few exceptions).
-m state = allows for connection tracking; not completely necessary if
not implemented into your system
--state NEW = see 'man iptables' for further information on this
-p tcp = here we can set either tcp or upd; in this case, we want tcp as
incoming packets
--destination-port 5901 = what our destination port is (5901 in this
case)
-j ACCEPT = 'jump' (target). As per the manual:
This specifies the target of the rule; i.e., what to do if the
packet matches it. The target can be a user-defined chain
(other than the one this rule is in), one of the special
built-in
targets which decide the fate of the packet immediately, or an
extension (see EXTENSIONS below). If this option is omitted
in
a rule, then matching the rule will have no effect on the
packet's fate, but the counters on the rule will be
incremented.
7. forward ports 5900-5904 to the VNC Linux server IP address via your
router only if you are allowing remote access (ie. from outside the LAN).
8. install a viewer on the windows client, either from www.realvnc.com or
ultravnc from http://www.ultravnc.com/.
(In the test case, I used ultravnc.)
9. Start up ultravnc on your Windows machine with the correct ip address of
your Linux box followed by :1.
192.168.xx.xx:1
10. choose 'Connect' and enter the password you assigned earlier when
prompted.
11. After a brief delay, you should begin to see your Linux desktop.
One final note:
Once you restart your machine, both the iptable and vncserver startup will
be lost.
Also, a 'service iptables restart' will flush the rule.
To make the vncserver load on bootup:
1. From a terminal:
cd /etc/sysconfig/
2. Edit 'vncservers' with vi or your preferred choice of editor
To make your rule permanent:
To be continued
_______________________________________________
VNC-List mailing list
VNC-List@realvnc.com
To remove yourself from the list visit:
http://www.realvnc.com/mailman/listinfo/vnc-list
