I may be way off base here, but I wonder if 'ping localhost' is working on host1 either? If that's not working (and it looks like it woudln't) I'd suspect that the following would solve the problem: iptables -I INPUT -i lo -j ACCEPT See why? You're not accepting loopback traffic. Of course, after that, the ping will only work from localhost. See below. In case you're not aware of it, you're blocking ICMP, which is a big no-no. You also need to add to your rules iptables -I INPUT -p icmp -j ACCEPT And read up on path mtu discovery in the list archives and/or at http://www.worldgate.ca/marcs/mtu/ to learn why you shouldn't block (all) ICMP. Vineet * Martin Sanborn (marty@delirium.cqe.nwu.edu) [010726 11:08]: <snip> > We use ssh with X forwarding enabled to connect to the different machines. > However, I cannot seem to get the forwarding to work when the default INPUT > policy is set to DROP. On host1, iptables -L looks like, > > Chain INPUT (policy DROP) > target prot opt source destination > ACCEPT all -- anywhere host1 state RELATED,ESTABLISHED > ACCEPT tcp -- anywhere host1 tcp dpt:smtp > ACCEPT tcp -- anywhere host1 tcp dpt:ssh > > Chain FORWARD (policy DROP) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > ACCEPT all -- host1 anywhere state NEW > > If I ssh from host2, it connects just fine, but if I attempt to open a X > program from host1 on host2 over that connection, nothing happens. If I > change the default INPUT policy to ACCEPT on host1, X forwarding works fine. > I don't know what rule to add to make X forwarding work correctly. I've tried > the following (individually): > > iptables -A INPUT -s host2 -d host1 -j ACCEPT > iptables -A INPUT -s host2 -d host1 -m state --state NEW -j ACCEPT > > I thought that all X connections where forwarded over the ssh port, but > apparently something else is needed here. Any suggestions? > > I'm using Debian testing/woody on both machines. Kernel version is 2.4.5 for > both with the XFS patch included. All the netfilter modules are built into > the kernel. I am using OpenSSH 2.5.2p2 on both machines, and ssh and sshd > onboth are configured to allow X forwarding. > > Thanks for your help. > > Marty Sanborn > > -- > > | Martin Sanborn - Dept. of Chemical Engineering - Northwestern University | > | m-sanborn@nwu.edu - (847)467-1653 - http://zeolites.cqe.nwu.edu/marty | > > > -- > To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org > >
Attachment:
pgpCAlAPqBOU7.pgp
Description: PGP signature