Home » CentOS » VNC
CentOS 29 Comments

I’m trying to set up a VNC server using the instructions at

I am up to step 6:

Step 6: Edit iptables

In order for the VNC connections to get through, you must allow them with iptables. To do this, open up the file /etc/sysconfig/iptables and add the line:

-A INPUT -m state –state NEW -m tcp -p tcp -m multiport –dports
5901:5903,6001:6003 -j ACCEPT

Save the file and restart iptables with the command:

service iptables restart

When I issue the restart command I get:

iptables: Applying firewall rules: iptables-restore: line 1 failed

Note that I did not have an iptables file before but there is an iptables-config file.

Can someone help me complete this configuration.


29 thoughts on - VNC

  • Can you post the content of the file, I just edit the config file and I
    didn’t get any errors when I issue the command

    $ sudo /sbin/service iptables restart

  • As I wrote, there was no iptables file. I created one with just that one line:

    -A INPUT -m state –state NEW -m tcp -p tcp -m multiport –dports
    5901:5903,6001:6003 -j ACCEPT

  • Try this, iptables dump from my fresh install, with SSH allow and the VNC
    you referenced.


    # Generated by iptables-save v1.4.7 on Fri Oct 11 17:39:52 2013
    :INPUT ACCEPT [0:0]
    :OUTPUT ACCEPT [45:7091]
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
    -A INPUT -m state –state NEW -m tcp -p tcp -m multiport –dports
    5901:5903,6001:6003 -j ACCEPT
    -A INPUT -j REJECT –reject-with icmp-host-prohibited
    -A FORWARD -j REJECT –reject-with icmp-host-prohibited COMMIT
    # Completed on Fri Oct 11 17:39:52 2013

    —–Original Message—

  • OK, with this file I’m getting connection timed out – before I was getting connection refused so I guess that’s some progress.

  • The instructions out linked to has a type-o at the end says to connect to ip:5801 should be 5901.

    If your using a VNC client uvnc, tightvnc.. try using just the ip without the :port part or :1 for the 5901.

    Try lsof -i -P | grep -i “listen”

    To see what ports are listening…


    —–Original Message—

  • I am unfortunately connecting from a windows box that I do not have admin rights on. I have to use the client provided, which is RealVNC Viewer. All I can do is give the ip.

    [root@10 sysconfig]# lsof -i -P | grep -i “listen” | grep VNC
    Xvnc 22052 motor 4u IPv4 527366 0t0 TCP
    localhost.localdomain:5901 (LISTEN)
    Xvnc 22286 motor 4u IPv4 530145 0t0 TCP
    localhost.localdomain:5902 (LISTEN)

  • You can specify the port with the IP by using the colon with the ip.

    x.x.x.x:5901 or x.x.x.x:5902

    —–Original Message—

  • Humm,

    Could windows machine be blocking the port going out?

    If your using putty as a SSH client you could try to port forward (5901,
    5901) through the SSH session and then try to connect using localhost:5901
    or localhost:5902 on the windows machine and see if you can connect.

    It can be done with other SSH clients but I’ve only used putty, so I know it can be done with it.

    You might also compare some of the settings to this page

    You could try stopping the servers and running the VNCserver in the console to see if there are connections or errors – but I’m not sure with the configuration your using if that is possible.

    I’m not sure what else to offer.

    —–Original Message—

  • No – I can connect with VNC to many other hosts from the windows box.

    Yes, I had seen that site and checked and everything looks copasetic.

    No, I don’t have access to the console. I’m in New Mexico and the machine is in New York.

    NP, I appreciate the help. I have an admin looking at now – he said ‘I
    don’t know why it doesn’t work. It should. It’s weird’ Which makes me feel better ;-)

    He’s suggesting I try and use virtual manager instead of VNC. I’m not familiar with that, so I’ll have to give that a google.


  • I had posted last week about trying to get VNC working. I was never successful nor were multiple admins. But we realized that all the hosts we tried on were VMs. We followed the same procedure ( on a machine with physical HW and it worked with no problem. But on the VM I can connect, but I don’t get any window displayed. Here is what is in the log:

    Sat Oct 19 18:39:55 2013
    VNCext: VNC extension running!
    VNCext: Listening for VNC connections on all interface(s), port 5902
    VNCext: created VNC server for screen 0
    GNOME_KEYRING_SOCKET=/tmp/keyring-Y6Tg3c/socket SSH_AUTH_SOCK=/tmp/keyring-Y6Tg3c/socket.ssh GNOME_KEYRING_PID728
    Failed to play sound: File or data not found

    ** (nm-applet:19775): WARNING **: request_name(): Could not acquire the NetworkManagerUserSettings service.
    Error: (9) Connection “:1.552” is not allowed to own the service
    “org.freedesktop.NetworkManagerUserSettings” due to security policies in the configuration file

    19/10/2013 06:39:59 PM Autoprobing TCP port in (all) network interface
    19/10/2013 06:39:59 PM Listening IPv{4,6}://*:5900
    19/10/2013 06:39:59 PM Autoprobing selected port 5900
    19/10/2013 06:39:59 PM Advertising authentication type: ‘VNC
    Authentication’ (2)
    19/10/2013 06:39:59 PM Advertising security type: ‘VNC Authentication’ (2)

    (polkit-gnome-authentication-agent-1:19796): GLib-GObject-WARNING **:
    cannot regster existing type `_PolkitError’

    (polkit-gnome-authentication-agent-1:19796): GLib-CRITICAL **:
    g_once_init_leave: assertion `initialization_value != 0′ failed Initializing nautilus-gdu extension Initializing nautilus-open-terminal extension

    ** (gnome-panel:19761): CRITICAL **: panel_applet_frame_change_background:
    assertion `PANEL_IS_WIDGET (GTK_WIDGET (frame)->parent)’ failed

    (polkit-gnome-authentication-agent-1:19796): polkit-gnome-1-WARNING **: No icon for themed icon with name ‘preferences-system-network-proxy’
    Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x2c00003 (Authentica)
    Window manager warning: meta_window_activate called by a pager with a 0
    timestamp; the pager needs to be fixed. Window manager warning: Buggy client sent a _NET_ACTIVE_WINDOW message with a timestamp of 0 for 0x2c00003 (Authentica)
    Window manager warning: meta_window_activate called by a pager with a 0
    timestamp; the pager needs to be fixed.
    19/10/2013 06:40:48 PM [IPv6] Got connection from client
    19/10/2013 06:40:48 PM other clients:
    19/10/2013 06:40:49 PM Client Protocol Version 3.7
    19/10/2013 06:40:49 PM Advertising security type 2
    19/10/2013 06:40:49 PM Client returned security type 2

    Anyone have any clues as to what could be wrong and why it works on a physical host and not on a VM?

  • Googling that error I found this: and I followed the advice there. Now I don’t get that error, but I still get no display. Now all I
    get in the log is this:

    19/10/2013 07:14:27 PM [IPv6] Got connection from client
    19/10/2013 07:14:27 PM other clients:
    19/10/2013 07:14:27 PM Client Protocol Version 3.7
    19/10/2013 07:14:27 PM Advertising security type 2
    19/10/2013 07:14:28 PM Client returned security type 2

    My xstartup file is identical on the VM and the physical host.

    Does anyone out there have VNC working on a VM?

  • I believe that I just find the answer for this question. I have been beating up myself for the last few hours and I was getting the same error that you posted.

    ****************Test Environment**************
    2 Laptops
    1 of the two laptop has several linux KVMs


    The reason why you are not able to connect with the KVM Guest is because by default KVM Guest uses VNC, which will conflict with tiger-vncserver.

    What is your current VM environment, to resolved the issue I switch from VNC to spice for the choice of display for the KVM Guest and I was finally able to establish communication with the KVM guest.

    Let me know if this works for you.

  • From the KVM Guest, under “Show Virtual Hardware Detail”, I change the type from VNC to Spice from the Display option, which was “Display VNC”
    prior to the change.

    You don’t have to make the change if you don’t want to as I was able to connect to the KVM Guest after it was started with the following command and the Display was configured for VNC:
    $ sudo virsh start KVM_Guest

    Once there is no sessions for the KVM that you are connecting to, you will be fine.

  • If the VNC consoles are listening on the KVM host’s IP address, how could both VNC servers conflict?

    I suppose it depends how the VM networking is configured. If your set up is bridged, the VM’s VNC server would listen on an IP address different than that of the host.

    Just looking for a rational explanation as to why your solution works. Thanks!

  • Sorry for top posting, this is the only option that the phone allow.

    If the host is running a X server you can use -X option with ssh.

    $ SSH -X user@host And start virt-manager to manage the VMs.

  • Are you using an Android phone? If so, install the Hackers Keyboard from the google play store and get a keyboard with all of the keys on it.

  • I haven’t followed this thread that closely, so hopefully, I’m not suggesting something that has already been discarded.

    Say the host is called kvmserver and your guest is called kvmguest. While on there, with SSH session

    virsh VNCdisplay kvmguest

    It will tell you if its on display 0, 1, 2, or whatever.

    Let’s say it’s on 0.

    On your local machine

    ssh -L 5900:localhost:5900 kvmhost

    Now, if you do VNCviewer localhost, it will open up a console on the remote kvm machine.

    If running virsh VNCdisplay kvmguest shows 5901 or 5902, then change the 5900 to that number, and change VNCviewer localhost to VNCviewer localhost:1
    localhost:2 or whatever.

  • That gives me:

    error: Failed to reconnect to the hypervisor error: no valid connection error: internal error Unable to locate libvirtd daemon in /usr/sbin (to override, set $LIBVIRTD_PATH to the name of the libvirtd binary)

  • yes, you need an X server, like xming, to use X11.

    I believe you can run xming without installing it, get the zip version, or the ‘portable’ version.

  • Am 20.10.2013 00:56, schrieb Larry Martell:


    Don’t know if this is what you had in mind, but I always set up VNC on my CentOS/OEL VMs running under VMWare as well as under Oracle VM server according to a HowTo I found some time ago on a Citrix blog:

    bullets 4) – 12).

    In short, this runs VNC as an on-request service via xinetd. Multiple simultanoues connections are possible. Perhaps you might want to give it a try.


  • I will be able to replicate your environment within a few days are you willing to give it another shot? SilverTip257 had an interesting question with regards to how the network is setup.

    I’m assuming that the host has a bridge nic compared to the bridge that is created by libvirtd “virbr0”, which has the default network of

    Can you confirm my assumption and let me know if you are willing to continue to work on a resolution.

  • I appreciate your offer and it certainly would be nice to get this solved, but it not longer critical for me to do my job. Alao I will be super busy this coming week.

    I don’t know how to answer your question – I am a developer not an admin –
    but if you give me the commands needed I can execute them. I don’t have access to the physical host – it’s 2,000 miles away from where I am. I
    could try and ask an admin there, but they are super busy too and they’ve moved on to other things (We are really short staffed.)


  • Good Day Larry,

    I finally got the time to build the test environment

    KVM Host Network Configuration:




    KVM Guest Network Configuration:

    Host device bond0 (Bridge ‘br0’)

    I have installed tiger VNC server and made the following changes in


    VNCSERVERARGS[2]=”-geometry 800×600″

    The VNCserver was stopped

    /etc/init.d/vncserver stop

    Configure authentication

    vncserver :2 (I was prompt to create and verify the password)

    From the remote computer I was able to connect to the CentOS 6.4 KVM Guest using tiger VNC VNCviewer.


    netstat -atulp | grep VNC

    tcp 0 0 *:5902 *:* LISTEN 28326/Xvnc

    tcp 0 0 *:6002 *:* LISTEN 28326/Xvnc

    tcp 0 0 ESTABLISHED 28326/Xvnc

    tcp 0 0 *:6002 *:* LISTEN 28326/Xvnc

    Seeing that you are able to connect to the server using SSH, I believe that it’s save to assume that the setup is similar to what I created, if you are using a Bridge connection you will not have to close the KVM Guest neither will you have to change the display from VNC to spice.

    Let me know if this helps.