Enable VNC Server on Redhat Enterprise Linux with iptables firewall enabled

I. Enable VNC on Redhat Enterprise Linux(with iptables firewall)

  • Note: These instructions do not include VNC over SSH. Comments on improving this are welcome.
  1. Go to System Settings > Servger Settings > Services, and put a checkbox in 'vncserver'.
  2. Start your vncserver from a terminal using the following command: **vncserver :1 **
    • Note: this puts it on port 5901. :0 would set it to port 5900, :2 would set it to 5902, :3 to 5903, etc.
    • The first time, it will ask you for a password to connect to the desktop. Enter a password (you can always change it later with the terminal command 'vncpassword') .
    • ensure xvnc is actually running: either by using the 'top' command in a terminal window to search for a running instance, or, click away from 'vncserver' in the services window and then back on it to see if it's shown as running.
  • Check to see what port vnc is running on (should be 5901 if you indicated :1) by entering the following in a terminal window, but let's double check: netstat -ln

II. Setup firewall to allow VNC

  • Now comes the tricky part. I'm going to assume your machine has iptables set up somewhere; iptables are meant to firewall the system.
  • Check to see how your iptables are set up with the following terminal command: iptables -nvL
  • If you do not have iptables set up (as in, nothing is returned), you probably should add iptables; download the latest package and install. Ours is set up in the following manner, please note that YOURS MAY BE DIFFERENT:
  • We need to insert an ACCEPT for port 5901 to allow 5901 through (our INPUT into the firewall). We will do this with the following command:
iptables -I RH-Firewall-1-INPUT -m state --state NEW -p tcp --destination-port 5901 -j ACCEPT
  • (If you did not set your vncserver to :1 initially, make sure you use the correct destination-port for your setup, ie. 5902 for :2)
    • What this is telling us:
      • -I RH-Firewall-1-INPUT = INSERT at top of iptable RH-Firewall-1-INPUT (defaults to first row).
      • -A will add, but as the last rule in the chain - chains work from top to bottom; a packet goes down the chain only until it finds a matching rule; then it follows that rule without ever looking at subsequent rules (with a few exceptions).
      • -m state = allows for connection tracking; not completely necessary if not implemented into your system
      • - -state NEW = see 'man iptables' for further information on this
      • -p tcp = here we can set either tcp or upd; in this case, we want tcp as incoming packets
      • - -destination-port 5901 = what our destination port is (5901 in this case)
      • -j ACCEPT = 'jump' (target). As per the manual: This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special built-in targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted in a rule, then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented.
  • forward ports 5900-5904 to the VNC Linux server IP address via your router only if you are allowing remote access (ie. from outside the LAN).
  • install a viewer on the windows client, either from www.realvnc.com or ultravnc from http://www.ultravnc.com/.
  • Start up ultravnc on your Windows machine with the correct ip address/hostname of your Linux box followed by :1.
    • vncserverhost:1
  • choose 'Connect' and enter the password you assigned earlier when prompted.
  • After a brief delay, you should begin to see your Linux desktop.
  • One final note: Once you restart your machine, both the iptable and vncserver startup will be lost. Also, a 'service iptables restart' will flush the rule. To make the vncserver load on bootup:
    • From a terminal: cd /etc/sysconfig/
    • Edit 'vncservers' with vi or your preferred choice of editor
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License