Can't connect to VNC server











up vote
1
down vote

favorite
2












Hoping your collective brain power can assist me...



tl;dr - Ubuntu server seems to have several ports open none can be seen by the outside (LAN) world - WTF is going on?



Longer:



I have a headless 17.04 server to which I'd like to connect using VNC, but I'm struggling at the moment. I'm using two clients - both Windows 10, one using RealVNC, one using TightVNC.



I've set up TightVNC server on my Ubuntu machine, mostly following the instructions at https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-16-04, intending to run Xfce as a desktop:



$ sudo apt install xfce4 xfce4-goodies tightvncserver


I've changed the xstartup file to:



#!/bin/bash

xrdb $HOME/.Xresources

startxfce4 &


And granted executable privilege.



If I start the server using tightvncserver I get:



New 'X' desktop is numbersix:1



Starting applications specified in /home/adam/.vnc/xstartup

Log file is /home/adam/.vnc/numbersix:1.log


nmap localhost gives:



Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-09 21:05 GMT

Nmap scan report for localhost (127.0.0.1)

Host is up (0.000076s latency).

Other addresses for localhost (not scanned): ::1

Not shown: 986 closed ports

PORT     STATE SERVICE

22/tcp   open  ssh

53/tcp   open  domain

80/tcp   open  http

111/tcp  open  rpcbind

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

631/tcp  open  ipp

5901/tcp open  vnc-1

6001/tcp open  X11:1

8000/tcp open  http-alt

8001/tcp open  vcom-tunnel

8010/tcp open  xmpp

8080/tcp open  http-proxy

9091/tcp open  xmltec-xmlmail


nmap 192.168.1.6 gives the same result.



I set the server as a systemd service - created /etc/systemd/system/vncserver@.service with this content:



[Unit]

Description=Start TightVNC server at startup

After=syslog.target network.target



[Service]

Type=forking

User=adam

PAMName=login

PIDFile=/home/adam/.vnc/%H:%i.pid

ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1

ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i

ExecStop=/usr/bin/vncserver -kill :%i



[Install]

WantedBy=multi-user.target


Then started the service with



$ sudo systemctl daemon-reload

$ sudo systemctl enable vncserver@1.service

$ sudo systemctl start vncserver@1


All seems to work. sudo systemctl status vncserver@1 gives:



● vncserver@1.service - Start TightVNC server at startup

   Loaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: enabled)

   Active: active (running) since Thu 2017-11-09 21:38:13 GMT; 6s ago

  Process: 3924 ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :1 (code=exited, status=0/SUCCESS)

  Process: 3916 ExecStartPre=/usr/bin/vncserver -kill :1 > /dev/null 2>&1 (code=exited, status=2)

 Main PID: 3937 (Xtightvnc)

    Tasks: 0 (limit: 4915)

   CGroup: /system.slice/system-vncserver.slice/vncserver@1.service

           ‣ 3937 Xtightvnc :1 -desktop X -auth /home/adam/.Xauthority -geometry 

1280x800 -depth 24 -rfbwait 120000 -rfbauth /h



Nov 09 21:38:12 numbersix systemd[1]: Starting Start TightVNC server at startup...

Nov 09 21:38:12 numbersix systemd[3916]: pam_unix(login:session): session opened for user adam by (uid=0)

Nov 09 21:38:12 numbersix systemd[3924]: pam_unix(login:session): session opened for user adam by (uid=0)

Nov 09 21:38:13 numbersix systemd[1]: Started Start TightVNC server at startup.


telnet localhost 5901 seems to connect OK:



Trying ::1...

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

RFB 003.008


And sudo netstat -nlpt | grep :59 gives:



tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN      3937/Xtightvnc


But, telnet numbersix 5901 and telnet 192.168.1.6 (from Windows) fail with:



Could not open connection to the host, on port 5901: Connect failed


And neither RealVNC nor TightVNC will connect (using hostname or IP). Ping works on both Windows hosts with IP or hostname. Also couldn't connect from Ubuntu laptop. Again, can ping. I can ssh without issues. sudo nmap numbersix from the Ubuntu laptop gives:



Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-10 12:50 GMT

Nmap scan report for numbersix (192.168.1.6)

Host is up (0.0032s latency).

Not shown: 997 filtered ports

PORT     STATE SERVICE

22/tcp   open  ssh

8000/tcp open  http-alt

8001/tcp open  vcom-tunnel

MAC Address: 60:45:CB:64:2B:C8 (Unknown)



Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds


The INPUT, FORWARD and OUTPUT chains from sudo iptables -L on the server are:



Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain

ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

INPUT_direct  all  --  anywhere             anywhere

INPUT_ZONES_SOURCE  all  --  anywhere             anywhere

INPUT_ZONES  all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited



Chain FORWARD (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED

ACCEPT     all  --  192.168.122.0/24     anywhere

ACCEPT     all  --  anywhere             anywhere

REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

DOCKER-USER  all  --  anywhere             anywhere

DOCKER-ISOLATION  all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

DOCKER     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

FORWARD_direct  all  --  anywhere             anywhere

FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere

FORWARD_IN_ZONES  all  --  anywhere             anywhere

FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere

FORWARD_OUT_ZONES  all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

OUTPUT_direct  all  --  anywhere             anywhere


So I think that suggests that iptables is blocking nothing...



Can anyone help me diagnose the problem, please?






server 17.04 remote-desktop vnc tightvncserver







share|improve this question




















  • 2




    I think that nmap localhost says open provided the service is listening on the loopback interface - it doesn't tell you that it's listening on the external interface. So what does telnet localhost 5901 say - or, looked at the other way, what does sudo netstat -nlpt | grep :59 show in the Local Address field?
    – steeldriver
    Nov 10 '17 at 1:31










  • Thanks - the results look fine to me. Are you sure you don't have an outbound rule in your Windows firewall that is blocking the connection? Have you tried telnet from Windows using the IP address? FWIW you're probably going to want to tunnel the connection over SSH anyway if you're using it over a public network, so it may not be worth banging your head against this.
    – steeldriver
    Nov 10 '17 at 13:51










  • Hi steeldriver - I'll add some more detail to the post, but: - no, not sure, but I can't access it from a xenial laptop either, and that doesn't have anything in iptables; - telnet using the ip address from Windows and xenial all fail with similar errors; - nmap from xenial shows only ports 22, 8000 and 8001 open; - iptables on the server indicate that the ports are open; - for the moment, I'm only looking to access on LAN; - honestly, the issue is less about VNC and more about 'what the foxtrot-uniform-charlie-kilo is going on with my server'! I'm astounded sometimes how little I know.
    – Adam-the-Kiwi
    Nov 10 '17 at 17:39

















up vote
1
down vote

favorite
2












Hoping your collective brain power can assist me...



tl;dr - Ubuntu server seems to have several ports open none can be seen by the outside (LAN) world - WTF is going on?



Longer:



I have a headless 17.04 server to which I'd like to connect using VNC, but I'm struggling at the moment. I'm using two clients - both Windows 10, one using RealVNC, one using TightVNC.



I've set up TightVNC server on my Ubuntu machine, mostly following the instructions at https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-16-04, intending to run Xfce as a desktop:



$ sudo apt install xfce4 xfce4-goodies tightvncserver


I've changed the xstartup file to:



#!/bin/bash

xrdb $HOME/.Xresources

startxfce4 &


And granted executable privilege.



If I start the server using tightvncserver I get:



New 'X' desktop is numbersix:1



Starting applications specified in /home/adam/.vnc/xstartup

Log file is /home/adam/.vnc/numbersix:1.log


nmap localhost gives:



Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-09 21:05 GMT

Nmap scan report for localhost (127.0.0.1)

Host is up (0.000076s latency).

Other addresses for localhost (not scanned): ::1

Not shown: 986 closed ports

PORT     STATE SERVICE

22/tcp   open  ssh

53/tcp   open  domain

80/tcp   open  http

111/tcp  open  rpcbind

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

631/tcp  open  ipp

5901/tcp open  vnc-1

6001/tcp open  X11:1

8000/tcp open  http-alt

8001/tcp open  vcom-tunnel

8010/tcp open  xmpp

8080/tcp open  http-proxy

9091/tcp open  xmltec-xmlmail


nmap 192.168.1.6 gives the same result.



I set the server as a systemd service - created /etc/systemd/system/vncserver@.service with this content:



[Unit]

Description=Start TightVNC server at startup

After=syslog.target network.target



[Service]

Type=forking

User=adam

PAMName=login

PIDFile=/home/adam/.vnc/%H:%i.pid

ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1

ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i

ExecStop=/usr/bin/vncserver -kill :%i



[Install]

WantedBy=multi-user.target


Then started the service with



$ sudo systemctl daemon-reload

$ sudo systemctl enable vncserver@1.service

$ sudo systemctl start vncserver@1


All seems to work. sudo systemctl status vncserver@1 gives:



● vncserver@1.service - Start TightVNC server at startup

   Loaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: enabled)

   Active: active (running) since Thu 2017-11-09 21:38:13 GMT; 6s ago

  Process: 3924 ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :1 (code=exited, status=0/SUCCESS)

  Process: 3916 ExecStartPre=/usr/bin/vncserver -kill :1 > /dev/null 2>&1 (code=exited, status=2)

 Main PID: 3937 (Xtightvnc)

    Tasks: 0 (limit: 4915)

   CGroup: /system.slice/system-vncserver.slice/vncserver@1.service

           ‣ 3937 Xtightvnc :1 -desktop X -auth /home/adam/.Xauthority -geometry 

1280x800 -depth 24 -rfbwait 120000 -rfbauth /h



Nov 09 21:38:12 numbersix systemd[1]: Starting Start TightVNC server at startup...

Nov 09 21:38:12 numbersix systemd[3916]: pam_unix(login:session): session opened for user adam by (uid=0)

Nov 09 21:38:12 numbersix systemd[3924]: pam_unix(login:session): session opened for user adam by (uid=0)

Nov 09 21:38:13 numbersix systemd[1]: Started Start TightVNC server at startup.


telnet localhost 5901 seems to connect OK:



Trying ::1...

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

RFB 003.008


And sudo netstat -nlpt | grep :59 gives:



tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN      3937/Xtightvnc


But, telnet numbersix 5901 and telnet 192.168.1.6 (from Windows) fail with:



Could not open connection to the host, on port 5901: Connect failed


And neither RealVNC nor TightVNC will connect (using hostname or IP). Ping works on both Windows hosts with IP or hostname. Also couldn't connect from Ubuntu laptop. Again, can ping. I can ssh without issues. sudo nmap numbersix from the Ubuntu laptop gives:



Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-10 12:50 GMT

Nmap scan report for numbersix (192.168.1.6)

Host is up (0.0032s latency).

Not shown: 997 filtered ports

PORT     STATE SERVICE

22/tcp   open  ssh

8000/tcp open  http-alt

8001/tcp open  vcom-tunnel

MAC Address: 60:45:CB:64:2B:C8 (Unknown)



Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds


The INPUT, FORWARD and OUTPUT chains from sudo iptables -L on the server are:



Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain

ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

INPUT_direct  all  --  anywhere             anywhere

INPUT_ZONES_SOURCE  all  --  anywhere             anywhere

INPUT_ZONES  all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited



Chain FORWARD (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED

ACCEPT     all  --  192.168.122.0/24     anywhere

ACCEPT     all  --  anywhere             anywhere

REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

DOCKER-USER  all  --  anywhere             anywhere

DOCKER-ISOLATION  all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

DOCKER     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

FORWARD_direct  all  --  anywhere             anywhere

FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere

FORWARD_IN_ZONES  all  --  anywhere             anywhere

FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere

FORWARD_OUT_ZONES  all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

OUTPUT_direct  all  --  anywhere             anywhere


So I think that suggests that iptables is blocking nothing...



Can anyone help me diagnose the problem, please?






server 17.04 remote-desktop vnc tightvncserver







share|improve this question




















  • 2




    I think that nmap localhost says open provided the service is listening on the loopback interface - it doesn't tell you that it's listening on the external interface. So what does telnet localhost 5901 say - or, looked at the other way, what does sudo netstat -nlpt | grep :59 show in the Local Address field?
    – steeldriver
    Nov 10 '17 at 1:31










  • Thanks - the results look fine to me. Are you sure you don't have an outbound rule in your Windows firewall that is blocking the connection? Have you tried telnet from Windows using the IP address? FWIW you're probably going to want to tunnel the connection over SSH anyway if you're using it over a public network, so it may not be worth banging your head against this.
    – steeldriver
    Nov 10 '17 at 13:51










  • Hi steeldriver - I'll add some more detail to the post, but: - no, not sure, but I can't access it from a xenial laptop either, and that doesn't have anything in iptables; - telnet using the ip address from Windows and xenial all fail with similar errors; - nmap from xenial shows only ports 22, 8000 and 8001 open; - iptables on the server indicate that the ports are open; - for the moment, I'm only looking to access on LAN; - honestly, the issue is less about VNC and more about 'what the foxtrot-uniform-charlie-kilo is going on with my server'! I'm astounded sometimes how little I know.
    – Adam-the-Kiwi
    Nov 10 '17 at 17:39















up vote
1
down vote

favorite
2









up vote
1
down vote

favorite
2






2





Hoping your collective brain power can assist me...



tl;dr - Ubuntu server seems to have several ports open none can be seen by the outside (LAN) world - WTF is going on?



Longer:



I have a headless 17.04 server to which I'd like to connect using VNC, but I'm struggling at the moment. I'm using two clients - both Windows 10, one using RealVNC, one using TightVNC.



I've set up TightVNC server on my Ubuntu machine, mostly following the instructions at https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-16-04, intending to run Xfce as a desktop:



$ sudo apt install xfce4 xfce4-goodies tightvncserver


I've changed the xstartup file to:



#!/bin/bash

xrdb $HOME/.Xresources

startxfce4 &


And granted executable privilege.



If I start the server using tightvncserver I get:



New 'X' desktop is numbersix:1



Starting applications specified in /home/adam/.vnc/xstartup

Log file is /home/adam/.vnc/numbersix:1.log


nmap localhost gives:



Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-09 21:05 GMT

Nmap scan report for localhost (127.0.0.1)

Host is up (0.000076s latency).

Other addresses for localhost (not scanned): ::1

Not shown: 986 closed ports

PORT     STATE SERVICE

22/tcp   open  ssh

53/tcp   open  domain

80/tcp   open  http

111/tcp  open  rpcbind

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

631/tcp  open  ipp

5901/tcp open  vnc-1

6001/tcp open  X11:1

8000/tcp open  http-alt

8001/tcp open  vcom-tunnel

8010/tcp open  xmpp

8080/tcp open  http-proxy

9091/tcp open  xmltec-xmlmail


nmap 192.168.1.6 gives the same result.



I set the server as a systemd service - created /etc/systemd/system/vncserver@.service with this content:



[Unit]

Description=Start TightVNC server at startup

After=syslog.target network.target



[Service]

Type=forking

User=adam

PAMName=login

PIDFile=/home/adam/.vnc/%H:%i.pid

ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1

ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i

ExecStop=/usr/bin/vncserver -kill :%i



[Install]

WantedBy=multi-user.target


Then started the service with



$ sudo systemctl daemon-reload

$ sudo systemctl enable vncserver@1.service

$ sudo systemctl start vncserver@1


All seems to work. sudo systemctl status vncserver@1 gives:



● vncserver@1.service - Start TightVNC server at startup

   Loaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: enabled)

   Active: active (running) since Thu 2017-11-09 21:38:13 GMT; 6s ago

  Process: 3924 ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :1 (code=exited, status=0/SUCCESS)

  Process: 3916 ExecStartPre=/usr/bin/vncserver -kill :1 > /dev/null 2>&1 (code=exited, status=2)

 Main PID: 3937 (Xtightvnc)

    Tasks: 0 (limit: 4915)

   CGroup: /system.slice/system-vncserver.slice/vncserver@1.service

           ‣ 3937 Xtightvnc :1 -desktop X -auth /home/adam/.Xauthority -geometry 

1280x800 -depth 24 -rfbwait 120000 -rfbauth /h



Nov 09 21:38:12 numbersix systemd[1]: Starting Start TightVNC server at startup...

Nov 09 21:38:12 numbersix systemd[3916]: pam_unix(login:session): session opened for user adam by (uid=0)

Nov 09 21:38:12 numbersix systemd[3924]: pam_unix(login:session): session opened for user adam by (uid=0)

Nov 09 21:38:13 numbersix systemd[1]: Started Start TightVNC server at startup.


telnet localhost 5901 seems to connect OK:



Trying ::1...

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

RFB 003.008


And sudo netstat -nlpt | grep :59 gives:



tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN      3937/Xtightvnc


But, telnet numbersix 5901 and telnet 192.168.1.6 (from Windows) fail with:



Could not open connection to the host, on port 5901: Connect failed


And neither RealVNC nor TightVNC will connect (using hostname or IP). Ping works on both Windows hosts with IP or hostname. Also couldn't connect from Ubuntu laptop. Again, can ping. I can ssh without issues. sudo nmap numbersix from the Ubuntu laptop gives:



Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-10 12:50 GMT

Nmap scan report for numbersix (192.168.1.6)

Host is up (0.0032s latency).

Not shown: 997 filtered ports

PORT     STATE SERVICE

22/tcp   open  ssh

8000/tcp open  http-alt

8001/tcp open  vcom-tunnel

MAC Address: 60:45:CB:64:2B:C8 (Unknown)



Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds


The INPUT, FORWARD and OUTPUT chains from sudo iptables -L on the server are:



Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain

ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

INPUT_direct  all  --  anywhere             anywhere

INPUT_ZONES_SOURCE  all  --  anywhere             anywhere

INPUT_ZONES  all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited



Chain FORWARD (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED

ACCEPT     all  --  192.168.122.0/24     anywhere

ACCEPT     all  --  anywhere             anywhere

REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

DOCKER-USER  all  --  anywhere             anywhere

DOCKER-ISOLATION  all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

DOCKER     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

FORWARD_direct  all  --  anywhere             anywhere

FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere

FORWARD_IN_ZONES  all  --  anywhere             anywhere

FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere

FORWARD_OUT_ZONES  all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

OUTPUT_direct  all  --  anywhere             anywhere


So I think that suggests that iptables is blocking nothing...



Can anyone help me diagnose the problem, please?






server 17.04 remote-desktop vnc tightvncserver







share|improve this question















Hoping your collective brain power can assist me...



tl;dr - Ubuntu server seems to have several ports open none can be seen by the outside (LAN) world - WTF is going on?



Longer:



I have a headless 17.04 server to which I'd like to connect using VNC, but I'm struggling at the moment. I'm using two clients - both Windows 10, one using RealVNC, one using TightVNC.



I've set up TightVNC server on my Ubuntu machine, mostly following the instructions at https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-16-04, intending to run Xfce as a desktop:



$ sudo apt install xfce4 xfce4-goodies tightvncserver


I've changed the xstartup file to:



#!/bin/bash

xrdb $HOME/.Xresources

startxfce4 &


And granted executable privilege.



If I start the server using tightvncserver I get:



New 'X' desktop is numbersix:1



Starting applications specified in /home/adam/.vnc/xstartup

Log file is /home/adam/.vnc/numbersix:1.log


nmap localhost gives:



Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-09 21:05 GMT

Nmap scan report for localhost (127.0.0.1)

Host is up (0.000076s latency).

Other addresses for localhost (not scanned): ::1

Not shown: 986 closed ports

PORT     STATE SERVICE

22/tcp   open  ssh

53/tcp   open  domain

80/tcp   open  http

111/tcp  open  rpcbind

139/tcp  open  netbios-ssn

445/tcp  open  microsoft-ds

631/tcp  open  ipp

5901/tcp open  vnc-1

6001/tcp open  X11:1

8000/tcp open  http-alt

8001/tcp open  vcom-tunnel

8010/tcp open  xmpp

8080/tcp open  http-proxy

9091/tcp open  xmltec-xmlmail


nmap 192.168.1.6 gives the same result.



I set the server as a systemd service - created /etc/systemd/system/vncserver@.service with this content:



[Unit]

Description=Start TightVNC server at startup

After=syslog.target network.target



[Service]

Type=forking

User=adam

PAMName=login

PIDFile=/home/adam/.vnc/%H:%i.pid

ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1

ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i

ExecStop=/usr/bin/vncserver -kill :%i



[Install]

WantedBy=multi-user.target


Then started the service with



$ sudo systemctl daemon-reload

$ sudo systemctl enable vncserver@1.service

$ sudo systemctl start vncserver@1


All seems to work. sudo systemctl status vncserver@1 gives:



● vncserver@1.service - Start TightVNC server at startup

   Loaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: enabled)

   Active: active (running) since Thu 2017-11-09 21:38:13 GMT; 6s ago

  Process: 3924 ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :1 (code=exited, status=0/SUCCESS)

  Process: 3916 ExecStartPre=/usr/bin/vncserver -kill :1 > /dev/null 2>&1 (code=exited, status=2)

 Main PID: 3937 (Xtightvnc)

    Tasks: 0 (limit: 4915)

   CGroup: /system.slice/system-vncserver.slice/vncserver@1.service

           ‣ 3937 Xtightvnc :1 -desktop X -auth /home/adam/.Xauthority -geometry 

1280x800 -depth 24 -rfbwait 120000 -rfbauth /h



Nov 09 21:38:12 numbersix systemd[1]: Starting Start TightVNC server at startup...

Nov 09 21:38:12 numbersix systemd[3916]: pam_unix(login:session): session opened for user adam by (uid=0)

Nov 09 21:38:12 numbersix systemd[3924]: pam_unix(login:session): session opened for user adam by (uid=0)

Nov 09 21:38:13 numbersix systemd[1]: Started Start TightVNC server at startup.


telnet localhost 5901 seems to connect OK:



Trying ::1...

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

RFB 003.008


And sudo netstat -nlpt | grep :59 gives:



tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN      3937/Xtightvnc


But, telnet numbersix 5901 and telnet 192.168.1.6 (from Windows) fail with:



Could not open connection to the host, on port 5901: Connect failed


And neither RealVNC nor TightVNC will connect (using hostname or IP). Ping works on both Windows hosts with IP or hostname. Also couldn't connect from Ubuntu laptop. Again, can ping. I can ssh without issues. sudo nmap numbersix from the Ubuntu laptop gives:



Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-10 12:50 GMT

Nmap scan report for numbersix (192.168.1.6)

Host is up (0.0032s latency).

Not shown: 997 filtered ports

PORT     STATE SERVICE

22/tcp   open  ssh

8000/tcp open  http-alt

8001/tcp open  vcom-tunnel

MAC Address: 60:45:CB:64:2B:C8 (Unknown)



Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds


The INPUT, FORWARD and OUTPUT chains from sudo iptables -L on the server are:



Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain

ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps

ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

INPUT_direct  all  --  anywhere             anywhere

INPUT_ZONES_SOURCE  all  --  anywhere             anywhere

INPUT_ZONES  all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited



Chain FORWARD (policy DROP)

target     prot opt source               destination

ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED

ACCEPT     all  --  192.168.122.0/24     anywhere

ACCEPT     all  --  anywhere             anywhere

REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

DOCKER-USER  all  --  anywhere             anywhere

DOCKER-ISOLATION  all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

DOCKER     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

ACCEPT     all  --  anywhere             anywhere

FORWARD_direct  all  --  anywhere             anywhere

FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere

FORWARD_IN_ZONES  all  --  anywhere             anywhere

FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere

FORWARD_OUT_ZONES  all  --  anywhere             anywhere

DROP       all  --  anywhere             anywhere             ctstate INVALID

REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

OUTPUT_direct  all  --  anywhere             anywhere


So I think that suggests that iptables is blocking nothing...



Can anyone help me diagnose the problem, please?






server 17.04 remote-desktop vnc tightvncserver




server 17.04 remote-desktop vnc tightvncserver






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 10 '17 at 18:00

























asked Nov 9 '17 at 21:48









Adam-the-Kiwi

1114




1114








  • 2




    I think that nmap localhost says open provided the service is listening on the loopback interface - it doesn't tell you that it's listening on the external interface. So what does telnet localhost 5901 say - or, looked at the other way, what does sudo netstat -nlpt | grep :59 show in the Local Address field?
    – steeldriver
    Nov 10 '17 at 1:31










  • Thanks - the results look fine to me. Are you sure you don't have an outbound rule in your Windows firewall that is blocking the connection? Have you tried telnet from Windows using the IP address? FWIW you're probably going to want to tunnel the connection over SSH anyway if you're using it over a public network, so it may not be worth banging your head against this.
    – steeldriver
    Nov 10 '17 at 13:51










  • Hi steeldriver - I'll add some more detail to the post, but: - no, not sure, but I can't access it from a xenial laptop either, and that doesn't have anything in iptables; - telnet using the ip address from Windows and xenial all fail with similar errors; - nmap from xenial shows only ports 22, 8000 and 8001 open; - iptables on the server indicate that the ports are open; - for the moment, I'm only looking to access on LAN; - honestly, the issue is less about VNC and more about 'what the foxtrot-uniform-charlie-kilo is going on with my server'! I'm astounded sometimes how little I know.
    – Adam-the-Kiwi
    Nov 10 '17 at 17:39
















  • 2




    I think that nmap localhost says open provided the service is listening on the loopback interface - it doesn't tell you that it's listening on the external interface. So what does telnet localhost 5901 say - or, looked at the other way, what does sudo netstat -nlpt | grep :59 show in the Local Address field?
    – steeldriver
    Nov 10 '17 at 1:31










  • Thanks - the results look fine to me. Are you sure you don't have an outbound rule in your Windows firewall that is blocking the connection? Have you tried telnet from Windows using the IP address? FWIW you're probably going to want to tunnel the connection over SSH anyway if you're using it over a public network, so it may not be worth banging your head against this.
    – steeldriver
    Nov 10 '17 at 13:51










  • Hi steeldriver - I'll add some more detail to the post, but: - no, not sure, but I can't access it from a xenial laptop either, and that doesn't have anything in iptables; - telnet using the ip address from Windows and xenial all fail with similar errors; - nmap from xenial shows only ports 22, 8000 and 8001 open; - iptables on the server indicate that the ports are open; - for the moment, I'm only looking to access on LAN; - honestly, the issue is less about VNC and more about 'what the foxtrot-uniform-charlie-kilo is going on with my server'! I'm astounded sometimes how little I know.
    – Adam-the-Kiwi
    Nov 10 '17 at 17:39










2




2




I think that nmap localhost says open provided the service is listening on the loopback interface - it doesn't tell you that it's listening on the external interface. So what does telnet localhost 5901 say - or, looked at the other way, what does sudo netstat -nlpt | grep :59 show in the Local Address field?
– steeldriver
Nov 10 '17 at 1:31




I think that nmap localhost says open provided the service is listening on the loopback interface - it doesn't tell you that it's listening on the external interface. So what does telnet localhost 5901 say - or, looked at the other way, what does sudo netstat -nlpt | grep :59 show in the Local Address field?
– steeldriver
Nov 10 '17 at 1:31












Thanks - the results look fine to me. Are you sure you don't have an outbound rule in your Windows firewall that is blocking the connection? Have you tried telnet from Windows using the IP address? FWIW you're probably going to want to tunnel the connection over SSH anyway if you're using it over a public network, so it may not be worth banging your head against this.
– steeldriver
Nov 10 '17 at 13:51




Thanks - the results look fine to me. Are you sure you don't have an outbound rule in your Windows firewall that is blocking the connection? Have you tried telnet from Windows using the IP address? FWIW you're probably going to want to tunnel the connection over SSH anyway if you're using it over a public network, so it may not be worth banging your head against this.
– steeldriver
Nov 10 '17 at 13:51












Hi steeldriver - I'll add some more detail to the post, but: - no, not sure, but I can't access it from a xenial laptop either, and that doesn't have anything in iptables; - telnet using the ip address from Windows and xenial all fail with similar errors; - nmap from xenial shows only ports 22, 8000 and 8001 open; - iptables on the server indicate that the ports are open; - for the moment, I'm only looking to access on LAN; - honestly, the issue is less about VNC and more about 'what the foxtrot-uniform-charlie-kilo is going on with my server'! I'm astounded sometimes how little I know.
– Adam-the-Kiwi
Nov 10 '17 at 17:39






Hi steeldriver - I'll add some more detail to the post, but: - no, not sure, but I can't access it from a xenial laptop either, and that doesn't have anything in iptables; - telnet using the ip address from Windows and xenial all fail with similar errors; - nmap from xenial shows only ports 22, 8000 and 8001 open; - iptables on the server indicate that the ports are open; - for the moment, I'm only looking to access on LAN; - honestly, the issue is less about VNC and more about 'what the foxtrot-uniform-charlie-kilo is going on with my server'! I'm astounded sometimes how little I know.
– Adam-the-Kiwi
Nov 10 '17 at 17:39












1 Answer
1






active

oldest

votes

















up vote
0
down vote













The answer lay in my failure to understand iptables - and particularly what the output from sudo iptables -L meant...



When I instead ran sudo iptables -S, I was presented with a much fuller description of each rule, and it was obvious then that there wasn't a suitable INPUT rule that was allowing tcp traffic on 5901 (or any of the other ports I was looking at) through. Then the final INPUT rule, which was essentially rejecting everything that didn't match a rule, was collecting this traffic and rejecting it. The rule that I thought should have been ACCEPTing the traffic applied only to the lo interface (loopback).



I ran this:
sudo iptables -I INPUT 7 -s 192.168.1.0/24 -i enp37s0 -j ACCEPT



That's basically inserting a rule at line 7 of the INPUT chain, and telling it to ACCEPT any traffic from the 192.168.1.0/24 subnet arriving on the ethernet port.



The next challenge is getting iptables-persistent to actually work on reboot!!






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "89"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f974858%2fcant-connect-to-vnc-server%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote













    The answer lay in my failure to understand iptables - and particularly what the output from sudo iptables -L meant...



    When I instead ran sudo iptables -S, I was presented with a much fuller description of each rule, and it was obvious then that there wasn't a suitable INPUT rule that was allowing tcp traffic on 5901 (or any of the other ports I was looking at) through. Then the final INPUT rule, which was essentially rejecting everything that didn't match a rule, was collecting this traffic and rejecting it. The rule that I thought should have been ACCEPTing the traffic applied only to the lo interface (loopback).



    I ran this:
    sudo iptables -I INPUT 7 -s 192.168.1.0/24 -i enp37s0 -j ACCEPT



    That's basically inserting a rule at line 7 of the INPUT chain, and telling it to ACCEPT any traffic from the 192.168.1.0/24 subnet arriving on the ethernet port.



    The next challenge is getting iptables-persistent to actually work on reboot!!






    share|improve this answer



























      up vote
      0
      down vote













      The answer lay in my failure to understand iptables - and particularly what the output from sudo iptables -L meant...



      When I instead ran sudo iptables -S, I was presented with a much fuller description of each rule, and it was obvious then that there wasn't a suitable INPUT rule that was allowing tcp traffic on 5901 (or any of the other ports I was looking at) through. Then the final INPUT rule, which was essentially rejecting everything that didn't match a rule, was collecting this traffic and rejecting it. The rule that I thought should have been ACCEPTing the traffic applied only to the lo interface (loopback).



      I ran this:
      sudo iptables -I INPUT 7 -s 192.168.1.0/24 -i enp37s0 -j ACCEPT



      That's basically inserting a rule at line 7 of the INPUT chain, and telling it to ACCEPT any traffic from the 192.168.1.0/24 subnet arriving on the ethernet port.



      The next challenge is getting iptables-persistent to actually work on reboot!!






      share|improve this answer

























        up vote
        0
        down vote










        up vote
        0
        down vote









        The answer lay in my failure to understand iptables - and particularly what the output from sudo iptables -L meant...



        When I instead ran sudo iptables -S, I was presented with a much fuller description of each rule, and it was obvious then that there wasn't a suitable INPUT rule that was allowing tcp traffic on 5901 (or any of the other ports I was looking at) through. Then the final INPUT rule, which was essentially rejecting everything that didn't match a rule, was collecting this traffic and rejecting it. The rule that I thought should have been ACCEPTing the traffic applied only to the lo interface (loopback).



        I ran this:
        sudo iptables -I INPUT 7 -s 192.168.1.0/24 -i enp37s0 -j ACCEPT



        That's basically inserting a rule at line 7 of the INPUT chain, and telling it to ACCEPT any traffic from the 192.168.1.0/24 subnet arriving on the ethernet port.



        The next challenge is getting iptables-persistent to actually work on reboot!!






        share|improve this answer














        The answer lay in my failure to understand iptables - and particularly what the output from sudo iptables -L meant...



        When I instead ran sudo iptables -S, I was presented with a much fuller description of each rule, and it was obvious then that there wasn't a suitable INPUT rule that was allowing tcp traffic on 5901 (or any of the other ports I was looking at) through. Then the final INPUT rule, which was essentially rejecting everything that didn't match a rule, was collecting this traffic and rejecting it. The rule that I thought should have been ACCEPTing the traffic applied only to the lo interface (loopback).



        I ran this:
        sudo iptables -I INPUT 7 -s 192.168.1.0/24 -i enp37s0 -j ACCEPT



        That's basically inserting a rule at line 7 of the INPUT chain, and telling it to ACCEPT any traffic from the 192.168.1.0/24 subnet arriving on the ethernet port.



        The next challenge is getting iptables-persistent to actually work on reboot!!







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Nov 18 '17 at 11:34

























        answered Nov 17 '17 at 19:28









        Adam-the-Kiwi

        1114




        1114






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Ask Ubuntu!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f974858%2fcant-connect-to-vnc-server%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            How to change which sound is reproduced for terminal bell?

            Image
            3 Recently upgrade to 18.10 from 18.04, and using the terminal is becoming annoying: the new alert sound is a drip ( /usr/share/sounds/gnome/default/alerts/drip.ogg ), and the previous one is still located at ( /usr/share/sounds/ubuntu/stereo/bell.ogg ). My issue is that at the gnome-terminal, when autocompleting or pressing left BOTH sounds are reproduced, at the same time. I want to just have ubuntu/stereo/bell.ogg active, not both . At the moment I have been only able to reduce the volume of the alerts (but still both are played), or turn the alerts down (but I dislike both "solutions"). gnome-terminal 18.10 teminal-bell share | improve this question
            Read more

            Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents

            Image
            up vote 5 down vote favorite 2 I would like to make it so that the vertical space below the title of each chapter is the same when using the Bjornstrup package (i.e. so that the descenders do not affect the spacing - as shown by the red arrow in the picture below). I think I'm fairly happy with the spacing around "A chapter", so I'd really like titles without descenders (e.g. "Contents") to have the same vertical spacing as "A chapter" below the title. I would also like to remove the large "0" in the contents title. Any help appreciated, as always. documentclass[11pt,a4paper]{book} % Packages[![enter image description here][1]][1] usepackage[left=3.5cm, right=3.5cm, top=4.3cm, bottom=4.25cm]{geometry} usepackage[utf8]{inputenc} usepackage{libertine} usepackage[libertine]{newtx
            Read more

            Can I use Tabulator js library in my java Spring + Thymeleaf project?

            Image
            0 I want to add Tabulator js to my java project. I added tabulator.min.js, tabulator.min.css to resources folder. After that added to my html page these dependencies as recommending in readme.md. <link rel="stylesheet" th:href="@{/css/tabulator.min.css}"> <script type="text/javascript" th:src="@{/js/tabulator.min.js}"></script> Now my tables view all elements, that I have in the html page, but not correct. In the documentation of Tabulator is example how to create header and table, var table = new Tabulator("#example-table", { columns:[ {title:"Name", field:"name", sorter:"string", width:200, editor:true}, {title:"Age", field:"age", sorter:"
            Read more