[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

iptables and X11 forwarding

I posted this on debian-user, but I didn't get any response. Maybe someone 
here can help me out. It's more of a general linux question than 
alpha-specific, but I need to use it on my alpha linux boxes.

I have a number of linux boxes, each with its own network connection. I am 
installing iptables on each of the machines to limit outside access to each 
(due to the physical location of the machines, I cannot simply make a 
subnetwork and have a single firewall blocking access to the machines) in 
conjuction with tcpwrappers to limit access to any ports iptables allows.

We use ssh with X forwarding enabled to connect to the different machines. 
However, I cannot seem to get the forwarding to work when the default INPUT 
policy is set to DROP. On host1, iptables -L looks like,

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  host1               anywhere state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere       host1 state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere       host1 tcp dpt:smtp
ACCEPT     tcp  --  anywhere       host1 tcp dpt:ssh
Chain FORWARD (policy DROP)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  host1              anywhere           state NEW

If I ssh from host2, it connects just fine, but if I attempt to open a X 
program from host1 on host2 over that connection, nothing happens. If I 
change the default INPUT policy to ACCEPT on host1, X forwarding works fine. 
I don't know what rule to add to make X forwarding work correctly. I've tried 
the following (individually):

iptables -A INPUT -s host2 -d host1 -j ACCEPT
iptables -A INPUT -s host2 -d host1 -m state --state NEW -j ACCEPT

I thought that all X connections where forwarded over the ssh port, but 
apparently something else is needed here. Any suggestions?

I'm using Debian testing/woody on both machines. Kernel version is 2.4.5 for 
both with the XFS patch included. All the netfilter modules are built into 
the kernel. I am using OpenSSH 2.5.2p2 on both machines, and ssh and sshd 
onboth are configured to allow X forwarding.

Thanks for your help.

Marty Sanborn

| Martin Sanborn - Dept. of Chemical Engineering - Northwestern University |
| m-sanborn@nwu.edu - (847)467-1653 - http://zeolites.cqe.nwu.edu/marty |

Reply to: