Configuring iptables for SSH and X11 forwarding

[vilis]

I'm having a Red Hat EL 3 as a server with SSH daemon running. I'm using a SSH connection from Windows with Putty SSH -client. I have enabled X11 Forwarding for Putty and servers SSH daemon. Everything works just fine. I'm able to use X -applications like xclock from Putty correctly. Afterwards I configured a firewall for my server. My aim was to configure the firewall so that I'm able to use SSH (with X forwarding) from anywhere. Here's my iptables rules:

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
ssh_gate   tcp  --  anywhere             anywhere    state NEW tcp dpt:ssh
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ssh_gate   tcp  --  anywhere             anywhere           state NEW tcp spt:ssh
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED

Chain ssh_gate (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

After setting up these rules the SSH connection is working correctly but I'm not able to use any X -applications. When I tried to start xclock, I received an error "Error: Can't open display: localhost:15.0". If I change iptables INPUT and OUTPUT policy to ACCEPT, I'm able to use X -applications but with DROP policy I'm not. According to my knowledge these iptables setting should let all traffic in and out using port 22. I sniffed network traffic using tcpdump and I didn't manage to capture any other traffic then traffic to port 22. Does anyone have any ideas whats wrong with my iptables?

[Wolfmans Brother]

Try "LinWiz" (an on-line iptables configuration tool) to create an iptables set for you with X clients allowed, and see what it creates - it's quite easy to read.

You'll find LinWiz at -- http://www.lowth.com/LinWiz

[hamburger123]

I don't know much about iptables, but I had a similar problem a while ago. Try changing the ForwardX11Trusted option to yes in /etc/ssh/ssh_config or ssh into your RHEL box with the "-Y" option.

[anomie]

Other than opening port 22 on the server side there is no special iptables setting that needs to be made for X forwarding.

hamburger123 already told you the setting to make in sshd_config.

Remember also:
* Both machines must be running X for this to work.
* When you connect you must use

Code:

ssh -X host_name_here

[vilis]

With those iptables rules I used, iptables didn't allow local loopback. So I just added rules to INPUT and OUTPUT that allowed all traffic from localhost to localhost and now X -applications are working fine! Stupid me...