img

Iptables Open VNC Port To Allow Incoming VNC Connections

September 8, 2019

How do I configure Linux system firewall to allow incoming VNC connections?

VNC server listens on the following TCP ports:

=> VNC server on display 0 will listen on TCP ports 5800, 5900 and 6000

=> VNC server on display 1 will listen on TCP ports 5801, 5901 and 6001
=> VNC server on display N will listen on TCP ports 580N, 590N and 600N

In other words a VNC server listens for a VNC client on TCP ports 5800+N, 5900+N, and 6000+N where N is the display which starts at zero. So,

  • 5800+N – Java-based vncviewer;
  • 5900+N – VNC Client Port;
  • 6000+N – X Server port.

Find Out VNC Port

Type the following command:
# netstat -tulp | grep vnc

Update /etc/sysconfig/iptables

Edit /etc/sysconfig/iptables file:
# vi /etc/sysconfig/iptables
Update it as follows:

# Open VNC for USER1
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5800  -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5900  -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6000  -j ACCEPT
# Open VNC for USER2
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5801  -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901  -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 6001  -j ACCEPT

# Open VNC for USER1
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 5800 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 5900 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 6000 -j ACCEPT
# Open VNC for USER2
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 5801 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 5901 -j ACCEPT
-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 6001 -j ACCEPT

Save and close the file. Restart iptables:
# service iptables restart

A Note About Other Linux Distributions

/etc/sysconfig/iptables works only on RHEL / CentOS / Fedora Linux. For other distros update your iptables shell script as follows:

$IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5801  -j ACCEPT
$IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901  -j ACCEPT
$IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 6001  -j ACCEPT

$IPT -A INPUT -m state –state NEW -m tcp -p tcp –dport 5801 -j ACCEPT
$IPT -A INPUT -m state –state NEW -m tcp -p tcp –dport 5901 -j ACCEPT
$IPT -A INPUT -m state –state NEW -m tcp -p tcp –dport 6001 -j ACCEPT

Posted by: SXI ADMIN

The author is the creator of SXI LLC and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Article Tags:
Article Categories:
How To

Comments are closed.