Show output of “iptables -L -n -v” from both systems.
Local
sudo iptables -L -n -v
[sudo] password for root:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Remote
sudo iptables -L -n -v
[sudo] password for root:
Sorry, try again.
[sudo] password for root:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
48 4560 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
12M 14G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED
6561 821K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
15500 1281K input_int all -- eth0 * 0.0.0.0/0 0.0.0.0/0
0 0 input_ext all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-IN-ILL-TARGET "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-FWD-ILL-ROUTING "
Chain OUTPUT (policy ACCEPT 9681K packets, 3307M bytes)
pkts bytes target prot opt in out source destination
48 4560 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
Chain forward_ext (0 references)
pkts bytes target prot opt in out source destination
Chain forward_int (0 references)
pkts bytes target prot opt in out source destination
Chain input_ext (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* sfw2.insert.pos */ PKTTYPE != unicast
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT "
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT "
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT "
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain input_int (1 references)
pkts bytes target prot opt in out source destination
15 5416 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
1 60 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:22 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INint-ACC-TCP "
2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
1841 91214 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:51413 ctstate NEW limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-INint-ACC "
5029 257K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:51413
181 32467 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* sfw2.insert.pos */ PKTTYPE != unicast
33 1980 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INint-DROP-DEFLT "
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-INint-DROP-DEFLT "
1211 122K LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW LOG flags 6 level 4 prefix "SFW2-INint-DROP-DEFLT "
10273 987K reject_func all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject_func (1 references)
pkts bytes target prot opt in out source destination
37 2220 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
10236 984K REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
Regarding any firewall configuration issues,
I’d expect solution to be the same regardless of VNC implementation.
I list the files that should exist on your system in my rough draft addendum to openSUSE LEAP documentation
https://en.opensuse.org/User:Tsu2/remote_administration_VNC#Firewalld
Verify those files exist and contain content that makes sense.
If the files don’t exist, that suggests you didn’t successfully install VNC using the YaST “Remote Administration” module (I’ve never verified for sure that’s how these files and the firewall are configured, it’s my educated guess).
TSU
You have SuSEfirewall2 active on this system.
Interesting.
Must be an upgrade on a machine in which the original openSUSE was … 42.x? Earlier?
Which would mean an unknown mess on the system since I’d be fairly certain YaST should have installed packages and configurations assuming firewalld is running.
TSU
Maybe this will help, services on the remote
sudo service --status-all
[sudo] password for root:
accounts-daemon.service loaded active running Accounts Service
alsa-restore.service loaded active exited Save/Restore Sound Card State
apparmor.service loaded active exited Load AppArmor profiles
auditd.service loaded active running Security Auditing Service
avahi-daemon.service loaded active running Avahi mDNS/DNS-SD Stack
cron.service loaded active running Command Scheduler
cups.service loaded active running CUPS Scheduler
dbus.service loaded active running D-Bus System Message Bus
detect-part-label-duplicates.service loaded active exited Detect if the system suffers from bsc#1089761
display-manager.service loaded active running X Display Manager
dracut-shutdown.service loaded active exited Restore /run/initramfs on shutdown
getty@tty1.service loaded active running Getty on tty1
haveged.service loaded active running Entropy Daemon based on the HAVEGE algorithm
irqbalance.service loaded active running irqbalance daemon
iscsi.service loaded active exited Login and scanning of iSCSI devices
iscsid.service loaded active running Open-iSCSI
kbdsettings.service loaded active exited Apply settings from /etc/sysconfig/keyboard
kmod-static-nodes.service loaded active exited Create list of required static device nodes for the current kernel
lvm2-lvmetad.service loaded active running LVM2 metadata daemon
lvm2-monitor.service loaded active exited Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling
mcelog.service loaded active running Machine Check Exception Logging Daemon
ModemManager.service loaded active running Modem Manager
NetworkManager.service loaded active running Network Manager
nscd.service loaded active running Name Service Cache Daemon
ntpd.service loaded active running NTP Server Daemon
polkit.service loaded active running Authorization Manager
postfix.service loaded active running Postfix Mail Transport Agent
rtkit-daemon.service loaded active running RealtimeKit Scheduling Policy Service
smartd.service loaded active running Self Monitoring and Reporting Technology (SMART) Daemon
sshd.service loaded active running OpenSSH Daemon
SuSEfirewall2.service loaded active exited SuSEfirewall2 phase 2
SuSEfirewall2_init.service loaded active exited SuSEfirewall2 phase 1
systemd-backlight@backlight:acpi_video0.service loaded active exited Load/Save Screen Backlight Brightness of backlight:acpi_video0
systemd-backlight@backlight:intel_backlight.service loaded active exited Load/Save Screen Backlight Brightness of backlight:intel_backlight
systemd-fsck-root.service loaded active exited File System Check on Root Device
systemd-fsck@dev-disk-by\x2duuid-22a50dee\x2db08b\x2d412f\x2d9ee6\x2ddaec9c15f4e1.service loaded active exited File System Check on /dev/disk/by-uuid/22a50dee-b08b-412f-9ee6-daec9c15f4e1
systemd-fsck@dev-disk-by\x2duuid-2835e938\x2d959b\x2d4ea1\x2dbf62\x2dfda62e6897bc.service loaded active exited File System Check on /dev/disk/by-uuid/2835e938-959b-4ea1-bf62-fda62e6897bc
systemd-journal-flush.service loaded active exited Flush Journal to Persistent Storage
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running Login Service
systemd-modules-load.service loaded active exited Load Kernel Modules
systemd-random-seed.service loaded active exited Load/Save Random Seed
systemd-remount-fs.service loaded active exited Remount Root and Kernel File Systems
systemd-sysctl.service loaded active exited Apply Kernel Variables
systemd-tmpfiles-setup-dev.service loaded active exited Create Static Device Nodes in /dev
systemd-tmpfiles-setup.service loaded active exited Create Volatile Files and Directories
systemd-udev-trigger.service loaded active exited udev Coldplug all Devices
systemd-udevd.service loaded active running udev Kernel Device Manager
systemd-update-utmp.service loaded active exited Update UTMP about System Boot/Shutdown
systemd-user-sessions.service loaded active exited Permit User Sessions
udisks2.service loaded active running Disk Manager
upower.service loaded active running Daemon for power management
user@1000.service loaded active running User Manager for UID 1000
wpa_supplicant.service loaded active running WPA Supplicant daemon
In fact this help a lot as I found out that there are 3 services related to forewall: forewalld, SuSEfirewall2.service, SuSEfirewall2_init.service.
Only firewalld was stopped. As soon I stopped the 2 other services on the remote, I could reach the remote laptop and see the remote desktop locally.
So, the issue is fixed but I’d guess I should run the firewall as it is running by default. I need to find how to set it up.
Any help, advice, link are welcome.
Anyway, thank you for your patience.
If you still have not found documentation for SuSEfirewall2, open new thread with new question.
I’d like to summarise and complete the setting of the remote desktop.
To be able to get access to the user graphical desktop running in a remote computer, one need to use x0vncserver. It doesn’t start another desktop but uses the default one when log in (Display :0). To succeed x0vncserver need to be started after log in.
I followed this howto, working fine manually but the last step is NOT for Opensuse (~/.xsessionrc)
I can start the x0vncserver manually with the command
/home/user/startvnc start >/dev/null 2>&1
One need to open a port, default 5900, in the firewall.
New Opensuse leap (15.0, 15.1 at least) have SuSEfirewall2/SuSEfirewall2_init services (depreciated), and firewalld. On my computers, I stopped SuSEfirewall2 and use firewalld.
In firewalld, the “default” zone is in fact “Public” zone. I added ports 5900-5905 TCP to open them.
Now it’s running fine and can access the remote desktop.
My last question is: To get an automatic start, where I could past the above command to be run after the start of the user graphical desktop?
I have read to use systemd or a script but can’t fine any howto.
Thank you
For those running x0vncserver including how to set up for Display :0,
Following is information for starting automatically
https://wiki.archlinux.org/index.php/TigerVNC#Starting_x0vncserver_via_xprofile
TSU
That is a difference between
x11vnc and vncserver.
The virtscreen script sets up a x11vnc with login into the same session.
https://github.com/kbumsik/VirtScreen
When I activate Virtscreen, it sets up the server accordingly.
But it is ment to use a virtual display to extend the monitor to it.
Thank you TSU but the link provided is not at all for a newbie like me!
As I don’t have ~/.xprofileI file in the remote computer (solution 1), I managed to create the file ~/.config/systemd/myname/x0vncserver.service (solution 2)
with inside the text without any change.
Here I am not sure what word should use in the path: user or login user name. Very confusing when I read the pages start, enable and Systemd/User.
Now I need to start, enable the service but I don;t know how to do. It doesn’t appear in the service GUI.
Could you help me, with the easier way (solution 1 or 2)?