Is it possible to forward a port without exposing it to the internet?

Discussion in 'Networking Issues' started by briwood, Mar 26, 2007.

  1. briwood

    briwood Guest

    I am connecting to a machine on my LAN by with VNC tunnelled through ssh. Here's how I'm dioing this:

    On the remote machine:
    ssh -T -L -C -N -f

    Then connect RealVNC to localhost: 1

    This works if I forward BOTH ports 22 and 5900 to the host running sshd/VNCserver. I notice that when use the HyperWRT GUI to forward a port, that port is also opened up to anyone on the internet. I am nervous about leaving 5900 open. It seems like I should only have to expose 22 and not 5900? Assuming I'm right about that, I think this is the key stuff that needs to change in my firewall script:

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    logaccept tcp -- anywhere tcp dpt:5900
    Chain logaccept (7 references)
    target prot opt source destination
    LOG all -- anywhere anywhere state NEW LOG level
    warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
    ACCEPT all -- anywhere anywhere

    I think I need another chain that only accepts from sources on my LAN and that the 5900 forward rule should be associated with this new chain. Am I on the right track here?

    Can anyone suggest some iptables commands to append to do what I want? Or point me at some examples?

    Thanks! I've been enjoying!

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice