1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Is it possible to forward a port without exposing it to the internet?

Discussion in 'Networking Issues' started by briwood, Mar 26, 2007.

  1. briwood

    briwood Guest

    I am connecting to a machine on my LAN by with VNC tunnelled through ssh. Here's how I'm dioing this:

    On the remote machine:
    ssh -T -L 5901:me.example.com:5900 -C -N user@me.example.com -f

    Then connect RealVNC to localhost: 1

    This works if I forward BOTH ports 22 and 5900 to the host running sshd/VNCserver. I notice that when use the HyperWRT GUI to forward a port, that port is also opened up to anyone on the internet. I am nervous about leaving 5900 open. It seems like I should only have to expose 22 and not 5900? Assuming I'm right about that, I think this is the key stuff that needs to change in my firewall script:

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    logaccept tcp -- anywhere tcp dpt:5900
    Chain logaccept (7 references)
    target prot opt source destination
    LOG all -- anywhere anywhere state NEW LOG level
    warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
    ACCEPT all -- anywhere anywhere

    I think I need another chain that only accepts from sources on my LAN and that the 5900 forward rule should be associated with this new chain. Am I on the right track here?

    Can anyone suggest some iptables commands to append to do what I want? Or point me at some examples?

    Thanks! I've been enjoying Linksysinfo.org!


Share This Page