X11 forwarding and iptables question
bob 295
icanprogram-sKcZck+fQKg at public.gmane.org
Sat Nov 27 15:08:04 UTC 2010
I have my default policy to DROP packets. It turns out to enable X11
forwarding over ssh I needed to enable the local loopback interface as well
as ssh port 22. ie.
iptables -A INPUT -i lo -p all -j ACCEPT
seems to have done the trick.
Thanks again for your help.
bob
On Friday 26 November 2010 06:24 pm, John Sellens wrote:
> If X apps work for you locally, then they should also work with X11
> forwarding over ssh, unless you have very strange iptables settings
> (e.g. rules on lo0/127.0.0.1/localhost).
>
> Check the remote end's sshd_config file to make sure that X11Forwarding
> is allowed. My sshd_config(5) man page says that the default is no.
>
> Check your DISPLAY environment variable in your ssh session (via echo
> $DISPLAY). Ssh should set it to something like localhost:10.0 if
> forwarding is working.
>
> Check that the remote end has an xauth(1) command.
>
> See if verbose ssh (with -v) tells you anything interesting.
>
> Hope that helps!
>
> John
>
> | I recently locked down my ports using some iptables rules to DROP all
> | INPUT and FORWARD packets and then accept only on certain ports.
> |
> | My most of my stuff is working as expected except for X11 forwarding (ie.
> | by logging in with ssh -X and running stuff like xclock).
> |
> | I noticed that ports 177 and 6000:6007 are X11 related. I opened these
> | up on the INPUT chain but X11 forwarding still doesn't work.
> |
> | What iptable rule should I be invoking to allow X11 forwarding?
>
> --
> The Toronto Linux Users Group. Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list