Iptables Settings For X11 Forwarding In CentOS 6.2

Home » CentOS » Iptables Settings For X11 Forwarding In CentOS 6.2
CentOS 5 Comments

Hi,

We recently installed CentOS 6.2 on our cluster. During the installation/debugging of various secondary software, we had disabled iptables. When we re-enabled them, we found that the front-end would no longer X11 forward (although it does so when the iptables are off). What do we need to set in the iptables to permit X11 forwarding? Currently we’re using

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

iptables -A INPUT -m limit –limit 15/minute -j LOG –log-level 7
–log-prefix “Dropped by firewall: “

iptables -A INPUT -i eth1 -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp –dport 8080 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp –dport 6000 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp –dport 6001 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp –dport 6002 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp –dport 6003 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp –dport 6004 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp –dport 6005 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p udp –dport 177 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p udp –dport 6000 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p udp -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m state –state ESTABLISHED,RELATED -j ACCEPT

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Pat Haley Email: phaley@mit.edu Center for Ocean Engineering Phone: (617) 253-6824
Dept. of Mechanical Engineering Fax: (617) 253-8125
MIT, Room 5-213 http://web.mit.edu/phaley/www/
77 Massachusetts Avenue Cambridge, MA 02139-4301

5 thoughts on - Iptables Settings For X11 Forwarding In CentOS 6.2

  • [Based on the port numbers below] You’re talking about XDMCP and not SSH
    X11 forwarding — correct?

    I bumped into this [0] but don’t have any XDMCP setups to test with. You have most of the recommended ports allowed given your rules.

    Might help:
    “If you are using Gnome open up TCP ports 16001 and TCP 35091 in both directions.” [0]

    [0] http://www.starnet.com/xwin32kb/What_ports_need_to_be_opened_for_XDMCP
    [1] http://www.tldp.org/HOWTO/html_single/XDMCP-HOWTO/#PREP

    Consider running tcpdump on the proper interface with the firewall disabled for a moment to get an idea of what happens when things work.

    You can simplify your rule by specifying a port range instead of individual rules:
    iptables -A INPUT -i eth1 -p tcp –dport 6000:6005 -m state –state NEW,ESTABLISHED -j ACCEPT

  • Hi,

    Actually we’re talking about both SSH and XDMCP X11 forwarding. Both seem to be currently disabled by the iptables.

    We’ll try out what you suggest and get back with the results. Thanks.

    Pat

  • iptables should have no effect (well. I guess if you do some really odd config settings it -could-, but that’s a bit of an edge case) on ssh X tunnels. check your /etc/ssh/sshd_config for X11Forwarding it should be set to yes. if you have iptables that apply to localhost/127.0.0.0/8 network, then I suppose iptables could be part of the problem. but I’d think it’d make sense to drop most all of those rules.

    it might also be helpful to look at the output of from your external machine when you run SSH -vvvv -X user@clusterhost (I wouldn’t send it all to the list, cuz it’ll be a ton of nonsense, but the last page or of output lines have helped me find issues in the past)

    … or am I completely off in left field and you’re saying you’re unable to SSH into your machines?

  • dropped packets. If he does that twice, one before and once after testing the differences will show which rules are being hit.

    Cheers,

    Cliff

LEAVE A COMMENT