Port Forwarding on a Router Machine Running SUSE 10.0
Novell Cool Solutions: Feature
By Scott M. Morris
Digg This -
Posted: 13 Jan 2006
- SUSE Linux 10.0
SUSE Linux is really cool. It's stable, solid, and many times "Just Works"™. SUSE is great at autodetection of hardware. It makes a great distro for beginners. It's also excellent for advanced users. Beginners can use it easily because of its wizard-like YAST modules. That's one thing that makes it very easy to administrate your firewall on your SUSE 10 machine.
This article is intended as a follow-up to my article entitled HOW-TO: Set Up a SUSE 10 Machine As a Router. The basic premise of that article is how to share one Internet connection through a SUSE 10 machine to an internal network of other machines.
Well, what if I have a server running on a computer inside my network which I need to access from outside the network? Every computer behind the router machine is completely invisible to me. So, how would I access that machine? For example, if you have a VNC server on one of those internal machines, how would we make it visible from the Internet? To take it further, if you have any kind of server that resides inside of the network, how do you make that server visible from the Internet?
Let's look at the VNC scenario. As we know that VNC servers generally listen on port 5900, we just make a simple request of our router. We just ask it to forward any incoming connections on port 5900 to the VNC server inside our network. Sounds like a lot of complicated IPTables stuff. Well, I'm sure that it is. However, YAST allows us to set this up quickly and easily, and I'm all about quick and easy.
For this article, our objective has three parts. First, we need to get the VNC server set up on a computer inside of the network. Then, we are going to configure the firewall so that all incoming VNC connections are sent straight to the VNC machine. This allows us to connect to and view the desktop of the internal machine, through the firewall, just for VNC. Finally, we have to experience the joy of it working, so we'll test it.
Set up the VNC Server
I have covered setting up a VNC server in a previous article. Look through the second half of that article if you need a quick run-through on setting up VNC (also referred to as Desktop Sharing) on a Linux machine. Set the computer up to listen for an incoming connection. Take a note of the IP address of this machine. Also, note that the port that VNC uses is 5900.
The next step is to set up the firewall to forward any VNC connections to the appropriate machine.
First, open YAST. Select SECURITY AND USERS from the left pane, and then FIREWALL from the options on the right:
When the firewall configuration window comes up, select MASQUERADING from the left pane. You should see a window similar to this one:
This is where we tell the firewall to forward our incoming VNC connection. To do this, click ADD. Another little window appears:
All we need to do here is say, "When you get a connection on port 5900, forward that connection to my VNC machine," (and don't forget to say "please").
The SOURCE NETWORK is the network that the request will be coming from. For all networks, just leave it as "0/0". The protocol for VNC is TCP, so we'll just leave the drop-down set to TCP. Then, we have the REQUESTED IP box. Although not the most secure option, I just put "0/0" here. Normally, you'd put the IP of the external NIC on your router box. However, if that IP changes, you'll have to come back in here and update this box. I don't like to mess with it, so I just put "0/0" in there. The REQUESTED PORT is 5900. In the box labeled REDIRECT TO MASQUERADED IP, just type in the IP of your VNC machine. In the REDIRECT TO PORT, you can also just put in 5900. Your window should now look something like this:
When you're finished, click ADD, and you'll see your rule appear back in the main window:
Go ahead and click NEXT. You'll see the FIREWALL CONFIGURATION SUMMARY screen, where you can click ACCEPT. YAST then writes the firewall configuration and restarts the firewall. You should now be ready to test.
Testing the Setup
On a machine outside your network, fire up your VNC client. Try to establish a connection with your router machine by using its external IP address. You should not have to specify a port, as most VNC clients know to connect to port 5900. If you're using krdc on KDE, your window might look like this (220.127.116.11 is the IP address of the external NIC on my router machine):
And your triumphant connection:
Note that even though we initiated the connection to our router machine, it forwarded the connection to the machine inside the network with the VNC server on it. It looks and feels like we're directly connected to that internal machine. We now know that we've set everything up correctly.
If you need to access an internal machine from outside your network, port forwarding might just be what you need. You can set up an FTP server, a web server, a database server, or probably even a game server and make it accessible from outside the network. Port forwarding is one of the many great things that Linux brings to the table.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com