iptables and X11 forwarding
I posted this on debian-user, but I didn't get any response. Maybe someone
here can help me out. It's more of a general linux question than
alpha-specific, but I need to use it on my alpha linux boxes.
I have a number of linux boxes, each with its own network connection. I am
installing iptables on each of the machines to limit outside access to each
(due to the physical location of the machines, I cannot simply make a
subnetwork and have a single firewall blocking access to the machines) in
conjuction with tcpwrappers to limit access to any ports iptables allows.
We use ssh with X forwarding enabled to connect to the different machines.
However, I cannot seem to get the forwarding to work when the default INPUT
policy is set to DROP. On host1, iptables -L looks like,
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- host1 anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere host1 state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere host1 tcp dpt:smtp
ACCEPT tcp -- anywhere host1 tcp dpt:ssh
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- host1 anywhere state NEW
If I ssh from host2, it connects just fine, but if I attempt to open a X
program from host1 on host2 over that connection, nothing happens. If I
change the default INPUT policy to ACCEPT on host1, X forwarding works fine.
I don't know what rule to add to make X forwarding work correctly. I've tried
the following (individually):
iptables -A INPUT -s host2 -d host1 -j ACCEPT
iptables -A INPUT -s host2 -d host1 -m state --state NEW -j ACCEPT
I thought that all X connections where forwarded over the ssh port, but
apparently something else is needed here. Any suggestions?
I'm using Debian testing/woody on both machines. Kernel version is 2.4.5 for
both with the XFS patch included. All the netfilter modules are built into
the kernel. I am using OpenSSH 2.5.2p2 on both machines, and ssh and sshd
onboth are configured to allow X forwarding.
Thanks for your help.
Marty Sanborn
--
| Martin Sanborn - Dept. of Chemical Engineering - Northwestern University |
| m-sanborn@nwu.edu - (847)467-1653 - http://zeolites.cqe.nwu.edu/marty |
Reply to: