If we want to secure connections to VNC ports we should add an iptables rules like:
-A INPUT -s MYNETWORK/24 -p tcp -m multiport –dports 5900:5910 -j ACCEPT -A INPUT -p tcp -m multiport –dports 5900:5910 -j REJECT |
But in this case we should know how much VNC ports will be running on hardware node (5900+N)… Do you know that iptables can use extended packet matching modules? For example the OWNER module. This module attempts to match various characteristics of the packet creator, for locally generated packets. And we try to use it for block all outgoing (n.b. match is only valid in the OUTPUT and POSTROUTING chains) connections from all VNC servers:
-A OUTPUT -d MYNETWORK/24 -m owner –uid-owner qemu -j ACCEPT -A OUTPUT -m owner –uid-owner qemu -j REJECT |