Find the answer to your Linux question:
Results 1 to 5 of 5
I'm having a Red Hat EL 3 as a server with SSH daemon running. I'm using a SSH connection from Windows with Putty SSH -client. I have enabled X11 Forwarding ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2005
    Posts
    3

    Configuring iptables for SSH and X11 forwarding


    I'm having a Red Hat EL 3 as a server with SSH daemon running. I'm using a SSH connection from Windows with Putty SSH -client. I have enabled X11 Forwarding for Putty and servers SSH daemon. Everything works just fine. I'm able to use X -applications like xclock from Putty correctly. Afterwards I configured a firewall for my server. My aim was to configure the firewall so that I'm able to use SSH (with X forwarding) from anywhere. Here's my iptables rules:
    Code:
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    ssh_gate   tcp  --  anywhere             anywhere    state NEW tcp dpt:ssh
    ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    
    Chain OUTPUT (policy DROP)
    target     prot opt source               destination
    ssh_gate   tcp  --  anywhere             anywhere           state NEW tcp spt:ssh
    ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
    
    Chain ssh_gate (2 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    After setting up these rules the SSH connection is working correctly but I'm not able to use any X -applications. When I tried to start xclock, I received an error "Error: Can't open display: localhost:15.0". If I change iptables INPUT and OUTPUT policy to ACCEPT, I'm able to use X -applications but with DROP policy I'm not. According to my knowledge these iptables setting should let all traffic in and out using port 22. I sniffed network traffic using tcpdump and I didn't manage to capture any other traffic then traffic to port 22. Does anyone have any ideas whats wrong with my iptables?

  2. #2
    Just Joined!
    Join Date
    Jun 2005
    Posts
    5
    Try "LinWiz" (an on-line iptables configuration tool) to create an iptables set for you with X clients allowed, and see what it creates - it's quite easy to read.

    You'll find LinWiz at -- http://www.lowth.com/LinWiz

  3. #3
    Linux Newbie
    Join Date
    Jul 2005
    Location
    Illinois, USA
    Posts
    111
    I don't know much about iptables, but I had a similar problem a while ago. Try changing the ForwardX11Trusted option to yes in /etc/ssh/ssh_config or ssh into your RHEL box with the "-Y" option.

  4. #4
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Other than opening port 22 on the server side there is no special iptables setting that needs to be made for X forwarding.

    hamburger123 already told you the setting to make in sshd_config.

    Remember also:
    * Both machines must be running X for this to work.
    * When you connect you must use
    Code:
    ssh -X host_name_here

  5. #5
    Just Joined!
    Join Date
    Sep 2005
    Posts
    3

    Local loopback

    With those iptables rules I used, iptables didn't allow local loopback. So I just added rules to INPUT and OUTPUT that allowed all traffic from localhost to localhost and now X -applications are working fine! Stupid me...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •