Find the answer to your Linux question:
Results 1 to 5 of 5
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    Configuring iptables for SSH and X11 forwarding

    I'm having a Red Hat EL 3 as a server with SSH daemon running. I'm using a SSH connection from Windows with Putty SSH -client. I have enabled X11 Forwarding for Putty and servers SSH daemon. Everything works just fine. I'm able to use X -applications like xclock from Putty correctly. Afterwards I configured a firewall for my server. My aim was to configure the firewall so that I'm able to use SSH (with X forwarding) from anywhere. Here's my iptables rules:
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    ssh_gate   tcp  --  anywhere             anywhere    state NEW tcp dpt:ssh
    ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    Chain OUTPUT (policy DROP)
    target     prot opt source               destination
    ssh_gate   tcp  --  anywhere             anywhere           state NEW tcp spt:ssh
    ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
    Chain ssh_gate (2 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    After setting up these rules the SSH connection is working correctly but I'm not able to use any X -applications. When I tried to start xclock, I received an error "Error: Can't open display: localhost:15.0". If I change iptables INPUT and OUTPUT policy to ACCEPT, I'm able to use X -applications but with DROP policy I'm not. According to my knowledge these iptables setting should let all traffic in and out using port 22. I sniffed network traffic using tcpdump and I didn't manage to capture any other traffic then traffic to port 22. Does anyone have any ideas whats wrong with my iptables?

  2. #2
    Try "LinWiz" (an on-line iptables configuration tool) to create an iptables set for you with X clients allowed, and see what it creates - it's quite easy to read.

    You'll find LinWiz at --

  3. #3
    Linux Newbie
    Join Date
    Jul 2005
    Illinois, USA
    I don't know much about iptables, but I had a similar problem a while ago. Try changing the ForwardX11Trusted option to yes in /etc/ssh/ssh_config or ssh into your RHEL box with the "-Y" option.

  4. $spacer_open
  5. #4
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Other than opening port 22 on the server side there is no special iptables setting that needs to be made for X forwarding.

    hamburger123 already told you the setting to make in sshd_config.

    Remember also:
    * Both machines must be running X for this to work.
    * When you connect you must use
    ssh -X host_name_here

  6. #5

    Local loopback

    With those iptables rules I used, iptables didn't allow local loopback. So I just added rules to INPUT and OUTPUT that allowed all traffic from localhost to localhost and now X -applications are working fine! Stupid me...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts