X11 forwarding and iptables question

[bob 295]

I have my default policy to DROP packets.   It turns out to enable X11 
forwarding over ssh I needed to enable the local loopback interface as well 
as ssh port 22.  ie.

iptables -A INPUT -i lo -p all -j ACCEPT

seems to have done the trick.

Thanks again for your help.

bob



On Friday 26 November 2010 06:24 pm, John Sellens wrote:
> If X apps work for you locally, then they should also work with X11
> forwarding over ssh, unless you have very strange iptables settings
> (e.g. rules on lo0/127.0.0.1/localhost).
>
> Check the remote end's sshd_config file to make sure that X11Forwarding
> is allowed.  My sshd_config(5) man page says that the default is no.
>
> Check your DISPLAY environment variable in your ssh session (via echo
> $DISPLAY).  Ssh should set it to something like localhost:10.0 if
> forwarding is working.
>
> Check that the remote end has an xauth(1) command.
>
> See if verbose ssh (with -v) tells you anything interesting.
>
> Hope that helps!
>
> John
>
> | I recently locked down my ports using some iptables rules to DROP all
> | INPUT and FORWARD packets and then accept only on certain ports.
> |
> | My most of my stuff is working as expected except for X11 forwarding (ie.
> | by logging in with ssh -X and running stuff like xclock).
> |
> | I noticed that ports 177 and 6000:6007 are X11 related.   I opened these
> | up on the INPUT chain but X11 forwarding still doesn't work.
> |
> | What iptable rule should I be invoking to allow X11 forwarding?
>
> --
> The Toronto Linux Users Group.      Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists