Can't connect to VNC server











up vote
1
down vote

favorite
2












Hoping your collective brain power can assist me...



tl;dr - Ubuntu server seems to have several ports open none can be seen by the outside (LAN) world - WTF is going on?



Longer:



I have a headless 17.04 server to which I'd like to connect using VNC, but I'm struggling at the moment. I'm using two clients - both Windows 10, one using RealVNC, one using TightVNC.



I've set up TightVNC server on my Ubuntu machine, mostly following the instructions at https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-16-04, intending to run Xfce as a desktop:



$ sudo apt install xfce4 xfce4-goodies tightvncserver


I've changed the xstartup file to:



#!/bin/bash
xrdb $HOME/.Xresources
startxfce4 &


And granted executable privilege.



If I start the server using tightvncserver I get:



New 'X' desktop is numbersix:1

Starting applications specified in /home/adam/.vnc/xstartup
Log file is /home/adam/.vnc/numbersix:1.log


nmap localhost gives:



Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-09 21:05 GMT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000076s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 986 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
5901/tcp open vnc-1
6001/tcp open X11:1
8000/tcp open http-alt
8001/tcp open vcom-tunnel
8010/tcp open xmpp
8080/tcp open http-proxy
9091/tcp open xmltec-xmlmail


nmap 192.168.1.6 gives the same result.



I set the server as a systemd service - created /etc/systemd/system/vncserver@.service with this content:



[Unit]
Description=Start TightVNC server at startup
After=syslog.target network.target

[Service]
Type=forking
User=adam
PAMName=login
PIDFile=/home/adam/.vnc/%H:%i.pid
ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i
ExecStop=/usr/bin/vncserver -kill :%i

[Install]
WantedBy=multi-user.target


Then started the service with



$ sudo systemctl daemon-reload
$ sudo systemctl enable vncserver@1.service
$ sudo systemctl start vncserver@1


All seems to work. sudo systemctl status vncserver@1 gives:



● vncserver@1.service - Start TightVNC server at startup
Loaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2017-11-09 21:38:13 GMT; 6s ago
Process: 3924 ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :1 (code=exited, status=0/SUCCESS)
Process: 3916 ExecStartPre=/usr/bin/vncserver -kill :1 > /dev/null 2>&1 (code=exited, status=2)
Main PID: 3937 (Xtightvnc)
Tasks: 0 (limit: 4915)
CGroup: /system.slice/system-vncserver.slice/vncserver@1.service
‣ 3937 Xtightvnc :1 -desktop X -auth /home/adam/.Xauthority -geometry
1280x800 -depth 24 -rfbwait 120000 -rfbauth /h

Nov 09 21:38:12 numbersix systemd[1]: Starting Start TightVNC server at startup...
Nov 09 21:38:12 numbersix systemd[3916]: pam_unix(login:session): session opened for user adam by (uid=0)
Nov 09 21:38:12 numbersix systemd[3924]: pam_unix(login:session): session opened for user adam by (uid=0)
Nov 09 21:38:13 numbersix systemd[1]: Started Start TightVNC server at startup.


telnet localhost 5901 seems to connect OK:



Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
RFB 003.008


And sudo netstat -nlpt | grep :59 gives:



tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN      3937/Xtightvnc


But, telnet numbersix 5901 and telnet 192.168.1.6 (from Windows) fail with:



Could not open connection to the host, on port 5901: Connect failed


And neither RealVNC nor TightVNC will connect (using hostname or IP). Ping works on both Windows hosts with IP or hostname. Also couldn't connect from Ubuntu laptop. Again, can ping. I can ssh without issues. sudo nmap numbersix from the Ubuntu laptop gives:



Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-10 12:50 GMT
Nmap scan report for numbersix (192.168.1.6)
Host is up (0.0032s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
8000/tcp open http-alt
8001/tcp open vcom-tunnel
MAC Address: 60:45:CB:64:2B:C8 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds


The INPUT, FORWARD and OUTPUT chains from sudo iptables -L on the server are:



Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
OUTPUT_direct all -- anywhere anywhere


So I think that suggests that iptables is blocking nothing...



Can anyone help me diagnose the problem, please?










share|improve this question




















  • 2




    I think that nmap localhost says open provided the service is listening on the loopback interface - it doesn't tell you that it's listening on the external interface. So what does telnet localhost 5901 say - or, looked at the other way, what does sudo netstat -nlpt | grep :59 show in the Local Address field?
    – steeldriver
    Nov 10 '17 at 1:31










  • Thanks - the results look fine to me. Are you sure you don't have an outbound rule in your Windows firewall that is blocking the connection? Have you tried telnet from Windows using the IP address? FWIW you're probably going to want to tunnel the connection over SSH anyway if you're using it over a public network, so it may not be worth banging your head against this.
    – steeldriver
    Nov 10 '17 at 13:51










  • Hi steeldriver - I'll add some more detail to the post, but: - no, not sure, but I can't access it from a xenial laptop either, and that doesn't have anything in iptables; - telnet using the ip address from Windows and xenial all fail with similar errors; - nmap from xenial shows only ports 22, 8000 and 8001 open; - iptables on the server indicate that the ports are open; - for the moment, I'm only looking to access on LAN; - honestly, the issue is less about VNC and more about 'what the foxtrot-uniform-charlie-kilo is going on with my server'! I'm astounded sometimes how little I know.
    – Adam-the-Kiwi
    Nov 10 '17 at 17:39

















up vote
1
down vote

favorite
2












Hoping your collective brain power can assist me...



tl;dr - Ubuntu server seems to have several ports open none can be seen by the outside (LAN) world - WTF is going on?



Longer:



I have a headless 17.04 server to which I'd like to connect using VNC, but I'm struggling at the moment. I'm using two clients - both Windows 10, one using RealVNC, one using TightVNC.



I've set up TightVNC server on my Ubuntu machine, mostly following the instructions at https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-16-04, intending to run Xfce as a desktop:



$ sudo apt install xfce4 xfce4-goodies tightvncserver


I've changed the xstartup file to:



#!/bin/bash
xrdb $HOME/.Xresources
startxfce4 &


And granted executable privilege.



If I start the server using tightvncserver I get:



New 'X' desktop is numbersix:1

Starting applications specified in /home/adam/.vnc/xstartup
Log file is /home/adam/.vnc/numbersix:1.log


nmap localhost gives:



Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-09 21:05 GMT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000076s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 986 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
5901/tcp open vnc-1
6001/tcp open X11:1
8000/tcp open http-alt
8001/tcp open vcom-tunnel
8010/tcp open xmpp
8080/tcp open http-proxy
9091/tcp open xmltec-xmlmail


nmap 192.168.1.6 gives the same result.



I set the server as a systemd service - created /etc/systemd/system/vncserver@.service with this content:



[Unit]
Description=Start TightVNC server at startup
After=syslog.target network.target

[Service]
Type=forking
User=adam
PAMName=login
PIDFile=/home/adam/.vnc/%H:%i.pid
ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i
ExecStop=/usr/bin/vncserver -kill :%i

[Install]
WantedBy=multi-user.target


Then started the service with



$ sudo systemctl daemon-reload
$ sudo systemctl enable vncserver@1.service
$ sudo systemctl start vncserver@1


All seems to work. sudo systemctl status vncserver@1 gives:



● vncserver@1.service - Start TightVNC server at startup
Loaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2017-11-09 21:38:13 GMT; 6s ago
Process: 3924 ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :1 (code=exited, status=0/SUCCESS)
Process: 3916 ExecStartPre=/usr/bin/vncserver -kill :1 > /dev/null 2>&1 (code=exited, status=2)
Main PID: 3937 (Xtightvnc)
Tasks: 0 (limit: 4915)
CGroup: /system.slice/system-vncserver.slice/vncserver@1.service
‣ 3937 Xtightvnc :1 -desktop X -auth /home/adam/.Xauthority -geometry
1280x800 -depth 24 -rfbwait 120000 -rfbauth /h

Nov 09 21:38:12 numbersix systemd[1]: Starting Start TightVNC server at startup...
Nov 09 21:38:12 numbersix systemd[3916]: pam_unix(login:session): session opened for user adam by (uid=0)
Nov 09 21:38:12 numbersix systemd[3924]: pam_unix(login:session): session opened for user adam by (uid=0)
Nov 09 21:38:13 numbersix systemd[1]: Started Start TightVNC server at startup.


telnet localhost 5901 seems to connect OK:



Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
RFB 003.008


And sudo netstat -nlpt | grep :59 gives:



tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN      3937/Xtightvnc


But, telnet numbersix 5901 and telnet 192.168.1.6 (from Windows) fail with:



Could not open connection to the host, on port 5901: Connect failed


And neither RealVNC nor TightVNC will connect (using hostname or IP). Ping works on both Windows hosts with IP or hostname. Also couldn't connect from Ubuntu laptop. Again, can ping. I can ssh without issues. sudo nmap numbersix from the Ubuntu laptop gives:



Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-10 12:50 GMT
Nmap scan report for numbersix (192.168.1.6)
Host is up (0.0032s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
8000/tcp open http-alt
8001/tcp open vcom-tunnel
MAC Address: 60:45:CB:64:2B:C8 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds


The INPUT, FORWARD and OUTPUT chains from sudo iptables -L on the server are:



Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
OUTPUT_direct all -- anywhere anywhere


So I think that suggests that iptables is blocking nothing...



Can anyone help me diagnose the problem, please?










share|improve this question




















  • 2




    I think that nmap localhost says open provided the service is listening on the loopback interface - it doesn't tell you that it's listening on the external interface. So what does telnet localhost 5901 say - or, looked at the other way, what does sudo netstat -nlpt | grep :59 show in the Local Address field?
    – steeldriver
    Nov 10 '17 at 1:31










  • Thanks - the results look fine to me. Are you sure you don't have an outbound rule in your Windows firewall that is blocking the connection? Have you tried telnet from Windows using the IP address? FWIW you're probably going to want to tunnel the connection over SSH anyway if you're using it over a public network, so it may not be worth banging your head against this.
    – steeldriver
    Nov 10 '17 at 13:51










  • Hi steeldriver - I'll add some more detail to the post, but: - no, not sure, but I can't access it from a xenial laptop either, and that doesn't have anything in iptables; - telnet using the ip address from Windows and xenial all fail with similar errors; - nmap from xenial shows only ports 22, 8000 and 8001 open; - iptables on the server indicate that the ports are open; - for the moment, I'm only looking to access on LAN; - honestly, the issue is less about VNC and more about 'what the foxtrot-uniform-charlie-kilo is going on with my server'! I'm astounded sometimes how little I know.
    – Adam-the-Kiwi
    Nov 10 '17 at 17:39















up vote
1
down vote

favorite
2









up vote
1
down vote

favorite
2






2





Hoping your collective brain power can assist me...



tl;dr - Ubuntu server seems to have several ports open none can be seen by the outside (LAN) world - WTF is going on?



Longer:



I have a headless 17.04 server to which I'd like to connect using VNC, but I'm struggling at the moment. I'm using two clients - both Windows 10, one using RealVNC, one using TightVNC.



I've set up TightVNC server on my Ubuntu machine, mostly following the instructions at https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-16-04, intending to run Xfce as a desktop:



$ sudo apt install xfce4 xfce4-goodies tightvncserver


I've changed the xstartup file to:



#!/bin/bash
xrdb $HOME/.Xresources
startxfce4 &


And granted executable privilege.



If I start the server using tightvncserver I get:



New 'X' desktop is numbersix:1

Starting applications specified in /home/adam/.vnc/xstartup
Log file is /home/adam/.vnc/numbersix:1.log


nmap localhost gives:



Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-09 21:05 GMT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000076s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 986 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
5901/tcp open vnc-1
6001/tcp open X11:1
8000/tcp open http-alt
8001/tcp open vcom-tunnel
8010/tcp open xmpp
8080/tcp open http-proxy
9091/tcp open xmltec-xmlmail


nmap 192.168.1.6 gives the same result.



I set the server as a systemd service - created /etc/systemd/system/vncserver@.service with this content:



[Unit]
Description=Start TightVNC server at startup
After=syslog.target network.target

[Service]
Type=forking
User=adam
PAMName=login
PIDFile=/home/adam/.vnc/%H:%i.pid
ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i
ExecStop=/usr/bin/vncserver -kill :%i

[Install]
WantedBy=multi-user.target


Then started the service with



$ sudo systemctl daemon-reload
$ sudo systemctl enable vncserver@1.service
$ sudo systemctl start vncserver@1


All seems to work. sudo systemctl status vncserver@1 gives:



● vncserver@1.service - Start TightVNC server at startup
Loaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2017-11-09 21:38:13 GMT; 6s ago
Process: 3924 ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :1 (code=exited, status=0/SUCCESS)
Process: 3916 ExecStartPre=/usr/bin/vncserver -kill :1 > /dev/null 2>&1 (code=exited, status=2)
Main PID: 3937 (Xtightvnc)
Tasks: 0 (limit: 4915)
CGroup: /system.slice/system-vncserver.slice/vncserver@1.service
‣ 3937 Xtightvnc :1 -desktop X -auth /home/adam/.Xauthority -geometry
1280x800 -depth 24 -rfbwait 120000 -rfbauth /h

Nov 09 21:38:12 numbersix systemd[1]: Starting Start TightVNC server at startup...
Nov 09 21:38:12 numbersix systemd[3916]: pam_unix(login:session): session opened for user adam by (uid=0)
Nov 09 21:38:12 numbersix systemd[3924]: pam_unix(login:session): session opened for user adam by (uid=0)
Nov 09 21:38:13 numbersix systemd[1]: Started Start TightVNC server at startup.


telnet localhost 5901 seems to connect OK:



Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
RFB 003.008


And sudo netstat -nlpt | grep :59 gives:



tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN      3937/Xtightvnc


But, telnet numbersix 5901 and telnet 192.168.1.6 (from Windows) fail with:



Could not open connection to the host, on port 5901: Connect failed


And neither RealVNC nor TightVNC will connect (using hostname or IP). Ping works on both Windows hosts with IP or hostname. Also couldn't connect from Ubuntu laptop. Again, can ping. I can ssh without issues. sudo nmap numbersix from the Ubuntu laptop gives:



Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-10 12:50 GMT
Nmap scan report for numbersix (192.168.1.6)
Host is up (0.0032s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
8000/tcp open http-alt
8001/tcp open vcom-tunnel
MAC Address: 60:45:CB:64:2B:C8 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds


The INPUT, FORWARD and OUTPUT chains from sudo iptables -L on the server are:



Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
OUTPUT_direct all -- anywhere anywhere


So I think that suggests that iptables is blocking nothing...



Can anyone help me diagnose the problem, please?










share|improve this question















Hoping your collective brain power can assist me...



tl;dr - Ubuntu server seems to have several ports open none can be seen by the outside (LAN) world - WTF is going on?



Longer:



I have a headless 17.04 server to which I'd like to connect using VNC, but I'm struggling at the moment. I'm using two clients - both Windows 10, one using RealVNC, one using TightVNC.



I've set up TightVNC server on my Ubuntu machine, mostly following the instructions at https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-16-04, intending to run Xfce as a desktop:



$ sudo apt install xfce4 xfce4-goodies tightvncserver


I've changed the xstartup file to:



#!/bin/bash
xrdb $HOME/.Xresources
startxfce4 &


And granted executable privilege.



If I start the server using tightvncserver I get:



New 'X' desktop is numbersix:1

Starting applications specified in /home/adam/.vnc/xstartup
Log file is /home/adam/.vnc/numbersix:1.log


nmap localhost gives:



Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-09 21:05 GMT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000076s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 986 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
5901/tcp open vnc-1
6001/tcp open X11:1
8000/tcp open http-alt
8001/tcp open vcom-tunnel
8010/tcp open xmpp
8080/tcp open http-proxy
9091/tcp open xmltec-xmlmail


nmap 192.168.1.6 gives the same result.



I set the server as a systemd service - created /etc/systemd/system/vncserver@.service with this content:



[Unit]
Description=Start TightVNC server at startup
After=syslog.target network.target

[Service]
Type=forking
User=adam
PAMName=login
PIDFile=/home/adam/.vnc/%H:%i.pid
ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i
ExecStop=/usr/bin/vncserver -kill :%i

[Install]
WantedBy=multi-user.target


Then started the service with



$ sudo systemctl daemon-reload
$ sudo systemctl enable vncserver@1.service
$ sudo systemctl start vncserver@1


All seems to work. sudo systemctl status vncserver@1 gives:



● vncserver@1.service - Start TightVNC server at startup
Loaded: loaded (/etc/systemd/system/vncserver@.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2017-11-09 21:38:13 GMT; 6s ago
Process: 3924 ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :1 (code=exited, status=0/SUCCESS)
Process: 3916 ExecStartPre=/usr/bin/vncserver -kill :1 > /dev/null 2>&1 (code=exited, status=2)
Main PID: 3937 (Xtightvnc)
Tasks: 0 (limit: 4915)
CGroup: /system.slice/system-vncserver.slice/vncserver@1.service
‣ 3937 Xtightvnc :1 -desktop X -auth /home/adam/.Xauthority -geometry
1280x800 -depth 24 -rfbwait 120000 -rfbauth /h

Nov 09 21:38:12 numbersix systemd[1]: Starting Start TightVNC server at startup...
Nov 09 21:38:12 numbersix systemd[3916]: pam_unix(login:session): session opened for user adam by (uid=0)
Nov 09 21:38:12 numbersix systemd[3924]: pam_unix(login:session): session opened for user adam by (uid=0)
Nov 09 21:38:13 numbersix systemd[1]: Started Start TightVNC server at startup.


telnet localhost 5901 seems to connect OK:



Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
RFB 003.008


And sudo netstat -nlpt | grep :59 gives:



tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN      3937/Xtightvnc


But, telnet numbersix 5901 and telnet 192.168.1.6 (from Windows) fail with:



Could not open connection to the host, on port 5901: Connect failed


And neither RealVNC nor TightVNC will connect (using hostname or IP). Ping works on both Windows hosts with IP or hostname. Also couldn't connect from Ubuntu laptop. Again, can ping. I can ssh without issues. sudo nmap numbersix from the Ubuntu laptop gives:



Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-10 12:50 GMT
Nmap scan report for numbersix (192.168.1.6)
Host is up (0.0032s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
8000/tcp open http-alt
8001/tcp open vcom-tunnel
MAC Address: 60:45:CB:64:2B:C8 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds


The INPUT, FORWARD and OUTPUT chains from sudo iptables -L on the server are:



Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
OUTPUT_direct all -- anywhere anywhere


So I think that suggests that iptables is blocking nothing...



Can anyone help me diagnose the problem, please?







server 17.04 remote-desktop vnc tightvncserver






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 10 '17 at 18:00

























asked Nov 9 '17 at 21:48









Adam-the-Kiwi

1114




1114








  • 2




    I think that nmap localhost says open provided the service is listening on the loopback interface - it doesn't tell you that it's listening on the external interface. So what does telnet localhost 5901 say - or, looked at the other way, what does sudo netstat -nlpt | grep :59 show in the Local Address field?
    – steeldriver
    Nov 10 '17 at 1:31










  • Thanks - the results look fine to me. Are you sure you don't have an outbound rule in your Windows firewall that is blocking the connection? Have you tried telnet from Windows using the IP address? FWIW you're probably going to want to tunnel the connection over SSH anyway if you're using it over a public network, so it may not be worth banging your head against this.
    – steeldriver
    Nov 10 '17 at 13:51










  • Hi steeldriver - I'll add some more detail to the post, but: - no, not sure, but I can't access it from a xenial laptop either, and that doesn't have anything in iptables; - telnet using the ip address from Windows and xenial all fail with similar errors; - nmap from xenial shows only ports 22, 8000 and 8001 open; - iptables on the server indicate that the ports are open; - for the moment, I'm only looking to access on LAN; - honestly, the issue is less about VNC and more about 'what the foxtrot-uniform-charlie-kilo is going on with my server'! I'm astounded sometimes how little I know.
    – Adam-the-Kiwi
    Nov 10 '17 at 17:39
















  • 2




    I think that nmap localhost says open provided the service is listening on the loopback interface - it doesn't tell you that it's listening on the external interface. So what does telnet localhost 5901 say - or, looked at the other way, what does sudo netstat -nlpt | grep :59 show in the Local Address field?
    – steeldriver
    Nov 10 '17 at 1:31










  • Thanks - the results look fine to me. Are you sure you don't have an outbound rule in your Windows firewall that is blocking the connection? Have you tried telnet from Windows using the IP address? FWIW you're probably going to want to tunnel the connection over SSH anyway if you're using it over a public network, so it may not be worth banging your head against this.
    – steeldriver
    Nov 10 '17 at 13:51










  • Hi steeldriver - I'll add some more detail to the post, but: - no, not sure, but I can't access it from a xenial laptop either, and that doesn't have anything in iptables; - telnet using the ip address from Windows and xenial all fail with similar errors; - nmap from xenial shows only ports 22, 8000 and 8001 open; - iptables on the server indicate that the ports are open; - for the moment, I'm only looking to access on LAN; - honestly, the issue is less about VNC and more about 'what the foxtrot-uniform-charlie-kilo is going on with my server'! I'm astounded sometimes how little I know.
    – Adam-the-Kiwi
    Nov 10 '17 at 17:39










2




2




I think that nmap localhost says open provided the service is listening on the loopback interface - it doesn't tell you that it's listening on the external interface. So what does telnet localhost 5901 say - or, looked at the other way, what does sudo netstat -nlpt | grep :59 show in the Local Address field?
– steeldriver
Nov 10 '17 at 1:31




I think that nmap localhost says open provided the service is listening on the loopback interface - it doesn't tell you that it's listening on the external interface. So what does telnet localhost 5901 say - or, looked at the other way, what does sudo netstat -nlpt | grep :59 show in the Local Address field?
– steeldriver
Nov 10 '17 at 1:31












Thanks - the results look fine to me. Are you sure you don't have an outbound rule in your Windows firewall that is blocking the connection? Have you tried telnet from Windows using the IP address? FWIW you're probably going to want to tunnel the connection over SSH anyway if you're using it over a public network, so it may not be worth banging your head against this.
– steeldriver
Nov 10 '17 at 13:51




Thanks - the results look fine to me. Are you sure you don't have an outbound rule in your Windows firewall that is blocking the connection? Have you tried telnet from Windows using the IP address? FWIW you're probably going to want to tunnel the connection over SSH anyway if you're using it over a public network, so it may not be worth banging your head against this.
– steeldriver
Nov 10 '17 at 13:51












Hi steeldriver - I'll add some more detail to the post, but: - no, not sure, but I can't access it from a xenial laptop either, and that doesn't have anything in iptables; - telnet using the ip address from Windows and xenial all fail with similar errors; - nmap from xenial shows only ports 22, 8000 and 8001 open; - iptables on the server indicate that the ports are open; - for the moment, I'm only looking to access on LAN; - honestly, the issue is less about VNC and more about 'what the foxtrot-uniform-charlie-kilo is going on with my server'! I'm astounded sometimes how little I know.
– Adam-the-Kiwi
Nov 10 '17 at 17:39






Hi steeldriver - I'll add some more detail to the post, but: - no, not sure, but I can't access it from a xenial laptop either, and that doesn't have anything in iptables; - telnet using the ip address from Windows and xenial all fail with similar errors; - nmap from xenial shows only ports 22, 8000 and 8001 open; - iptables on the server indicate that the ports are open; - for the moment, I'm only looking to access on LAN; - honestly, the issue is less about VNC and more about 'what the foxtrot-uniform-charlie-kilo is going on with my server'! I'm astounded sometimes how little I know.
– Adam-the-Kiwi
Nov 10 '17 at 17:39












1 Answer
1






active

oldest

votes

















up vote
0
down vote













The answer lay in my failure to understand iptables - and particularly what the output from sudo iptables -L meant...



When I instead ran sudo iptables -S, I was presented with a much fuller description of each rule, and it was obvious then that there wasn't a suitable INPUT rule that was allowing tcp traffic on 5901 (or any of the other ports I was looking at) through. Then the final INPUT rule, which was essentially rejecting everything that didn't match a rule, was collecting this traffic and rejecting it. The rule that I thought should have been ACCEPTing the traffic applied only to the lo interface (loopback).



I ran this:
sudo iptables -I INPUT 7 -s 192.168.1.0/24 -i enp37s0 -j ACCEPT



That's basically inserting a rule at line 7 of the INPUT chain, and telling it to ACCEPT any traffic from the 192.168.1.0/24 subnet arriving on the ethernet port.



The next challenge is getting iptables-persistent to actually work on reboot!!






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "89"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f974858%2fcant-connect-to-vnc-server%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    0
    down vote













    The answer lay in my failure to understand iptables - and particularly what the output from sudo iptables -L meant...



    When I instead ran sudo iptables -S, I was presented with a much fuller description of each rule, and it was obvious then that there wasn't a suitable INPUT rule that was allowing tcp traffic on 5901 (or any of the other ports I was looking at) through. Then the final INPUT rule, which was essentially rejecting everything that didn't match a rule, was collecting this traffic and rejecting it. The rule that I thought should have been ACCEPTing the traffic applied only to the lo interface (loopback).



    I ran this:
    sudo iptables -I INPUT 7 -s 192.168.1.0/24 -i enp37s0 -j ACCEPT



    That's basically inserting a rule at line 7 of the INPUT chain, and telling it to ACCEPT any traffic from the 192.168.1.0/24 subnet arriving on the ethernet port.



    The next challenge is getting iptables-persistent to actually work on reboot!!






    share|improve this answer



























      up vote
      0
      down vote













      The answer lay in my failure to understand iptables - and particularly what the output from sudo iptables -L meant...



      When I instead ran sudo iptables -S, I was presented with a much fuller description of each rule, and it was obvious then that there wasn't a suitable INPUT rule that was allowing tcp traffic on 5901 (or any of the other ports I was looking at) through. Then the final INPUT rule, which was essentially rejecting everything that didn't match a rule, was collecting this traffic and rejecting it. The rule that I thought should have been ACCEPTing the traffic applied only to the lo interface (loopback).



      I ran this:
      sudo iptables -I INPUT 7 -s 192.168.1.0/24 -i enp37s0 -j ACCEPT



      That's basically inserting a rule at line 7 of the INPUT chain, and telling it to ACCEPT any traffic from the 192.168.1.0/24 subnet arriving on the ethernet port.



      The next challenge is getting iptables-persistent to actually work on reboot!!






      share|improve this answer

























        up vote
        0
        down vote










        up vote
        0
        down vote









        The answer lay in my failure to understand iptables - and particularly what the output from sudo iptables -L meant...



        When I instead ran sudo iptables -S, I was presented with a much fuller description of each rule, and it was obvious then that there wasn't a suitable INPUT rule that was allowing tcp traffic on 5901 (or any of the other ports I was looking at) through. Then the final INPUT rule, which was essentially rejecting everything that didn't match a rule, was collecting this traffic and rejecting it. The rule that I thought should have been ACCEPTing the traffic applied only to the lo interface (loopback).



        I ran this:
        sudo iptables -I INPUT 7 -s 192.168.1.0/24 -i enp37s0 -j ACCEPT



        That's basically inserting a rule at line 7 of the INPUT chain, and telling it to ACCEPT any traffic from the 192.168.1.0/24 subnet arriving on the ethernet port.



        The next challenge is getting iptables-persistent to actually work on reboot!!






        share|improve this answer














        The answer lay in my failure to understand iptables - and particularly what the output from sudo iptables -L meant...



        When I instead ran sudo iptables -S, I was presented with a much fuller description of each rule, and it was obvious then that there wasn't a suitable INPUT rule that was allowing tcp traffic on 5901 (or any of the other ports I was looking at) through. Then the final INPUT rule, which was essentially rejecting everything that didn't match a rule, was collecting this traffic and rejecting it. The rule that I thought should have been ACCEPTing the traffic applied only to the lo interface (loopback).



        I ran this:
        sudo iptables -I INPUT 7 -s 192.168.1.0/24 -i enp37s0 -j ACCEPT



        That's basically inserting a rule at line 7 of the INPUT chain, and telling it to ACCEPT any traffic from the 192.168.1.0/24 subnet arriving on the ethernet port.



        The next challenge is getting iptables-persistent to actually work on reboot!!







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Nov 18 '17 at 11:34

























        answered Nov 17 '17 at 19:28









        Adam-the-Kiwi

        1114




        1114






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Ask Ubuntu!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f974858%2fcant-connect-to-vnc-server%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            How to change which sound is reproduced for terminal bell?

            Can I use Tabulator js library in my java Spring + Thymeleaf project?

            Title Spacing in Bjornstrup Chapter, Removing Chapter Number From Contents