Openstack VNC Security

If we want to secure connections to VNC ports we should add an iptables rules like:

-A INPUT -s MYNETWORK/24 -p tcp -m multiport –dports 5900:5910 -j  ACCEPT
-A INPUT -p tcp -m multiport –dports 5900:5910 -j REJECT

But in this case we should know how much VNC ports will be running on hardware node (5900+N)… Do you know that iptables can use extended packet matching modules? For example the OWNER module. This module attempts to match various characteristics of the packet creator, for locally generated packets. And we try to use it for block all outgoing (n.b. match is only valid in the OUTPUT and POSTROUTING chains) connections from all VNC servers:

-A OUTPUT -d MYNETWORK/24 -m owner –uid-owner qemu -j ACCEPT
-A OUTPUT -m owner –uid-owner qemu -j REJECT

Leave a Reply

Your email address will not be published. Required fields are marked *