iptables and X11 forwarding through ssh

To: debian-firewall@lists.debian.org
Subject: iptables and X11 forwarding through ssh
From: Martin Sanborn <marty@delirium.cqe.nwu.edu>
Date: Thu, 26 Jul 2001 11:06:44 -0500
Message-id: <[🔎] 01072611064401.13297@delirium>
Reply-to: m-sanborn@nwu.edu

I posted this on debian-user, but I didn't get any response. Maybe someone
here can help me out. 

I have a number of linux boxes, each with its own network connection. I am
installing iptables on each of the machines to limit outside access to each
(due to the physical location of the machines, I cannot simply make a
subnetwork and have a single firewall blocking access to the machines) in
conjuction with tcpwrappers to limit access to any ports iptables allows.

We use ssh with X forwarding enabled to connect to the different machines.
However, I cannot seem to get the forwarding to work when the default INPUT
policy is set to DROP. On host1, iptables -L looks like,

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere       host1 state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere       host1 tcp dpt:smtp
ACCEPT     tcp  --  anywhere       host1 tcp dpt:ssh

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  host1              anywhere           state NEW

If I ssh from host2, it connects just fine, but if I attempt to open a X
program from host1 on host2 over that connection, nothing happens. If I
change the default INPUT policy to ACCEPT on host1, X forwarding works fine.
I don't know what rule to add to make X forwarding work correctly. I've tried
the following (individually):

iptables -A INPUT -s host2 -d host1 -j ACCEPT
iptables -A INPUT -s host2 -d host1 -m state --state NEW -j ACCEPT

I thought that all X connections where forwarded over the ssh port, but
apparently something else is needed here. Any suggestions?

I'm using Debian testing/woody on both machines. Kernel version is 2.4.5 for
both with the XFS patch included. All the netfilter modules are built into
the kernel. I am using OpenSSH 2.5.2p2 on both machines, and ssh and sshd
onboth are configured to allow X forwarding.

Thanks for your help.

Marty Sanborn

--

| Martin Sanborn - Dept. of Chemical Engineering - Northwestern University |
| m-sanborn@nwu.edu - (847)467-1653 - http://zeolites.cqe.nwu.edu/marty |

Reply to:

Follow-Ups:
- Re: iptables and X11 forwarding through ssh
  - From: Vineet Kumar <debian-security@virtual.doorstop.net>

Prev by Date: [Re: Bytes counter with iptables]
Next by Date: Re: Bytes counter with iptables
Previous by thread: [Re: Bytes counter with iptables]
Next by thread: Re: iptables and X11 forwarding through ssh
Index(es):
- Date
- Thread