Monday, July 20, 2015

Setting up a local VNC server on Ubuntu 14.04

All of the information below can be found on the web. However, there are also many pages that describe methods that are more complicated than necessary, at least for Ubuntu 14.04. For instance, there is no need to install any new packages to get VNC working since both the server (Vino) and the client (Remmina) are already installed by default.

Configuring and starting the  VNC server is done by simply finding, and clicking on, 'desktop share' in the dash.
 
Clicking on 'Desktop Sharing' yields a window with some configuration options for the vino VNC server.

 
Note that all the security checkboxes have been unchecked. The idea is to make the machine running the  VNC server available to all the machines on the local area network. All the machines on the LAN are trusted, so there is no need for passwords etc. 

Once this configuration window is closed, the vino server is started. Since there seems to be no service associated with it, the easiest way to stop it -- if needed -- is to issue a 

     pkill vino-server

command. 

Next we use iptables to insert three "firewall" rules that prevent access to the port used by the VNC server, which defaults to 5900.

sudo iptables -A INPUT --protocol tcp --dport 5900 --source 192.168.1.0/24 -jACCEPT
sudo iptables -A INPUT --protocol tcp --dport 5900 --source 127.0.0.0/8 -j ACCEPT
sudo iptables -A INPUT --protocol tcp --dport 5900 -j DROP

Iptables requires administrative privileges, so each incantation is preceded by sudo. The 
"-A INPUT" option indicates that the rule applies to packets that arrive to the  VNC server while 
"--protocol tcp" and "--dport 5900" specify further restrictions to protocol and destination port (5900, the default port used by the VNC server). 

The first rule specifies the target action ACCEPT for packets that, in addition, come from a machine on the local area network. Such machines usually have an address of the form 192.168.0.N or 192.168.1.N where N is some small number. Thus --source 192.168.1.0/24 represents these subnet addresses using a mask. In short, packets that originated in the local network and are destined for the VNC server are accepted.

The second rule expresses that also packets from the server machine itself (the so-called localhost) are accepted. 

The third and final rule says that any other (i.e. packets that were not allowed in by the previous rules, that is why the order of the rules is important) packets for the  VNC server will be quietly dropped.

To see what rules are currently in use:

prompt> sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  192.168.1.0/24       anywhere             tcp dpt:5900
ACCEPT     tcp  --  127.0.0.0/8          anywhere             tcp dpt:5900
DROP       tcp  --  anywhere             anywhere             tcp dpt:5900

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
prompt>

It is possible to delete rules using a command like

  sudo iptables -D INPUT 3

which would delete the third (DROP) rule for INPUT packets. 


Posted by at
Labels: , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)