Perhaps someone with some experience can suggest the answer to my problem. I have a number of linux boxes, each with its own network connection. I am installing iptables on each of the machines to limit outside access to each (due to the physical location of the machines, I cannot simply make a subnetwork and have a single firewall blocking access to the machines) in conjuction with tcpwrappers to limit access to any ports iptables allows.
We use ssh with X forwarding enabled to connect to the different machines. However, I cannot seem to get the forwarding to work when the default INPUT policy is set to drop. On host1, iptables -L looks like, Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- host1 anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere host1 state RELATED,ESTABLISHED ACCEPT tcp -- anywhere host1 tcp dpt:smtp ACCEPT tcp -- anywhere host1 tcp dpt:ssh Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- host1 anywhere state NEW If I ssh from host2, it connects just fine, but if I attempt to open a X program from host1 on host2 over that connection, nothing happens. If I change the default INPUT policy to ACCEPT on host1, X forwarding works fine. I don't know what rule to add to make X forwarding work correctly. I've tried the following (individually): iptables -A INPUT -s host2 -d host1 -j ACCEPT iptables -A INPUT -s host2 -d host1 -m state --state NEW -j ACCEPT I thought that all X connections where forwarded over the ssh port, but apparently something else is needed here. Any suggestions? I'm using Debian testing/woody on both machines. Kernel version is 2.4.5 for both with the XFS patch included. All the netfilter modules are built into the kernel. I am using OpenSSH 2.5.2p2 on both machines, and ssh and sshd onboth are configured to allow X forwarding. Thanks for your help. Martin Sanborn -- | Martin Sanborn - Dept. of Chemical Engineering - Northwestern University | | m-sanborn@ nwu.edu - (847)467-1653 - http://zeolites.cqe.nwu.edu/marty |
