Re: Simple iptables table doesn't let me forward X windows

To: debian-user@lists.debian.org
Subject: Re: Simple iptables table doesn't let me forward X windows
From: Jason <electron@emypeople.net>
Date: Sat, 20 Jan 2018 21:31:58 -0600
Message-id: <[🔎] 20180121033158.GA17784@emypeople.net>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] e46eed27-472d-6b98-28e8-1c8a5522f558@plouf.fr.eu.org>
References: <[🔎] 20180120181312.GA10695@emypeople.net> <[🔎] e46eed27-472d-6b98-28e8-1c8a5522f558@plouf.fr.eu.org>

On Sat, Jan 20, 2018 at 07:58:27PM +0100, Pascal Hambourg wrote:
> Le 20/01/2018 à 19:13, Jason a écrit :
> >
> >I am trying to setup (what should be) a simple iptables table
> 
> I don't think so. In iptables, "tables" are preexisting data structures
> containing chains, and chains contain rules that you create. The set of
> rules in these chains and tables is called, well, a ruleset.

Thanks for the clarification. This is my first experience using
iptables and my knowledge of it is elementary at best.

> 
> >between
> >two machines on a local network, both with static IP addresses.
> 
> Nonsense. A ruleset is set up on one machine, not between two machines.

I had thought after I wrote it that the wording probably wasn't correct.

> 
> >The machine I want to set up the iptables on
> 
> As I wrote : on one machine.
> 
> >is a headless server which I
> >access using ssh. I want to cut off all communications except with the
> >machine I ssh from.
> 
> I guess you use X tunnelling with ssh -X or -Y ?

Yes, with -X.

> >What I did works except when I try to run a GUI
> >program on the server to display locally, after a pause I get
> >something like:
> >
> >	Geany: cannot open display
> >or
> >	xterm: Xt error: Can't open display: localhost:10.0
> >
> >both of which work before I run the iptables commands.
> >
> >Here's what I did (000.000.000.000 is substituted for actual IP
> >address of client machine):
> 
> You really should not use that kind of address for substitution. 0.0.0.0 has
> a special meaning. You could use addresses in 192.0.2.0/24 which are
> reserved for examples and documentation instead.

Okay, making a note of it.

> >$ sudo iptables -A INPUT -s 000.000.000.000 -j ACCEPT
> >$ sudo iptables -A OUTPUT -d 000.000.000.000 -j ACCEPT
> >$ sudo iptables -P INPUT DROP
> >$ sudo iptables -P OUTPUT DROP
> >
> >I also tried to add
> >
> >$ sudo iptables -A INPUT -i lo -j ACCEPT
> >
> >without success.
> >
> >What do I need to do to get X forwarding to work?
> 
> Add
> 
> iptables -A OUTPUT -o lo -j ACCEPT

That works, thanks a lot Pascal!
> 
> Note that this ruleset allows much more than just SSH and X forwarding
> between the two machines.

Which is fine in this case.
Thanks again!

-- 
Jason

Reply to:

References:
- Simple iptables table doesn't let me forward X windows
  - From: Jason <electron@emypeople.net>
- Re: Simple iptables table doesn't let me forward X windows
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

Prev by Date: Re: Iptables at boot
Next by Date: Re: Simple iptables table doesn't let me forward X windows
Previous by thread: Re: Simple iptables table doesn't let me forward X windows
Next by thread: Re: Simple iptables table doesn't let me forward X windows
Index(es):
- Date
- Thread