Remote Desktop on the VM - AD-EYE/AD-EYE_Core GitHub Wiki

The problem to solve

We want incoming packages on port 3389 (the remote desktop protocol default port) to be passed through to the virtual machine.

Suggested approach

The suggested approach is to load the following iptables rules every minute using a service.

For this approach three files are needed:

The list of iptables rules 
# Generated by iptables-save v1.6.0 on Tue Sep 21 13:58:34 2021
*filter
:INPUT ACCEPT [2575:230337]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2342:151425]
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -d 192.168.122.125/32 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 3389 -j ACCEPT
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
COMMIT
# Completed on Tue Sep 21 13:58:34 2021
# Generated by iptables-save v1.6.0 on Tue Sep 21 13:58:34 2021
*nat
:PREROUTING ACCEPT [370:37521]
:INPUT ACCEPT [110:11610]
:OUTPUT ACCEPT [31:2046]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.122.125:3389
-A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Tue Sep 21 13:58:34 2021
# Generated by iptables-save v1.6.0 on Tue Sep 21 13:58:34 2021
*mangle
:PREROUTING ACCEPT [3397:690868]
:INPUT ACCEPT [2578:230548]
:FORWARD ACCEPT [562:438543]
:OUTPUT ACCEPT [2342:151425]
:POSTROUTING ACCEPT [2906:590215]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Tue Sep 21 13:58:34 2021
The service definition that will load those rules 
[Unit]
Description = Load ip-table rules

[Service]
Type=oneshot
Restart=no
RemainAfterExit=no
User=root
ExecStart= /bin/sh -c 'iptables-restore < /etc/iptables/rules.v4'


[Install]
WantedBy=multi-user.target
The timer that will trigger the service every minute 
[Unit]
Description=load_ip_tables_timer

[Timer]
OnUnitActiveSec=1min
Persistent=true

[Install]
WantedBy=timers.target

The file defining the rules and services can be downloaded here: https://kth.app.box.com/folder/146219549500.

The .service and .timer files need to be placed in /etc/systemd/system/ and the timer service needs to be enabled with

sudo systemctl enable load_iptables_rules.timer
sudo systemctl enable load_iptables_rules.service

This command makes the system start the timer and the service service on startup. Once the timmer triggers, it calls load_iptables_rules.service which in turn loads the iptables rules.

The iptables rules need to be placed at /etc/iptables/rules.v4. This can be done with the following command:

sudo cp iptables_rules /etc/iptables/rules.v4

Additional details about how we got there

These details might be useful if the suggested approach above was not successful

Enabling remote desktop by port forwarding

To enable remote desktop access to the windows virtual machine the Ubuntu host needs to forward all incoming connections on the Remote Desktop port (3389).

Typing the following commands with the proper IP adresses will enable the port forwarding.

sudo iptables -t nat -A PREROUTING -p tcp -d 130.237.59.134 --dport 3389 -j DNAT --to-destination 192.168.122.125:3389
sudo iptables -I FORWARD -m state -d 192.168.122.1/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT

IP addresses used in this example:

  • 130.237.59.134: the public IP (google "my ip")
  • 192.168.122.125: address of the Windows VM on the NAT (check ipconfig in Windows cmd)
  • 192.168.122.1 the address of Ubuntu on the NAT (check ifconfig and look for virbr0)

Saving the firewall rules

Reusing the recommended rules is recomended with the services to load them, click here to expand if this is the section you are looking for

The previous commands set up the port forwarding but do not make it persistent. To do so run sudo apt-get install iptables-persistent. During the installation the user will be prompted to save the rules. Choose yes for both IP v4 and v6.

The following commands allow to manually save the iptable rules:

sudo su
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6
exit

However, on startup libvirtd will modify the iptables rules and those modifications can be conflicting with the port forwarding (despite iptables-persistent). That is why a service was created to reload the rules every minutes thus bypassing the startup conflict with libvirts.

Restoring Iptables rules manually

If at some point the remote connection is not working anymore, the rules might have been lost. In that case the problem is solved by restoring them using the following commands:

sudo su
iptables-restore < /etc/iptables/rules.v4
exit
⚠️ **GitHub.com Fallback** ⚠️