Very simple situation: Linux computer on a LAN connected to
a Linux box with a NAT'd firewall.

LAN box: hostlan.domain.com IP -> 192.168.2.100 eth0
NAT box: hostnat.domain.com IP -> 192.168.2.1 eth1 Gateway
NAT box: hostnat.domain.com IP -> xxx.xxx.xxx.xxx eth0 Inet

Occassionally, need to connect to the LAN box running X
from the NAT box using XDMCP. Connection works with the
appropriate allowance of ports 177 for XDMCP and 6000 for
X connectivity in the firewall.

However, the connection is always made to eth0 on
the NAT box (I guess through the gateway)
rather than directly to the gateway (192.168.2.1).

This causes a problem, since I would rather not have ports
177 & 6000 open for eth0, since it is the internet connection
and if I happen to be running X on that box, I am wide
open to X connections coming from the net.

Why doesn't the XDMCP connection only use the Gateway
(192.168.2.1)?

Is there a way to make XDMCP (X -broadcast from the NAT box)
use the gateway interface, eth1 instead of eth0?

I don't understand this. Why are you connecting to the lan box from your NATing box? Is it a VPN server?

"However, the connection is always made to eth0 on
the NAT box (I guess through the gateway)
rather than directly to the gateway (192.168.2.1)."

Eth0 is always the internal interface by default. It would make sense that your NAT box is talking to your LAN box with it. Your NAT box controlls what ports you are forwarding out to the internet. By default, it would not forward those ports to the internet without your initiating the connection from the lan box.

And the final short answer to your question is no. eth0 is internal via iptables. eth1 is external. There may be a way around it, but I haven't found it. Let me know if you do better.

Maybe this wasn't clear enough. The NAT box contains
two NIC's; eth0 connects to the internet and eth1 is the
internal interface or from the other computer's point of
view the gateway to the NAT box. In any Netfilter scenario
I have ever seen, this is always the way it works with
only two computers.

My point was that when I was having trouble with the
XDMCP connection to the LAN box, I always got an error
message stating that a connection could not be made to
xxx.xxx.xxx.xxx or the eth0 internet connected IP address
rather than 192.168.2.1.

I suspect that the firewall rules have something to do with
it but I'm not sure how to re-structure the rules to allow this
connection and deny connections to port 6000 from the
internet side.

I may be a little confused here.

The problem is somewhat clearer now. If I completely flush
all the firewall rules, I can connect using the xdmcp protocol.
However, with my ruleset, which is pretty simple, I am
surprised that I can't connect.

I know that the XDMCP server is listening on UDP 177 and
TCP 6000 from nmap output. My OUTPUT rules:

# OUTPUT chain

# Bad TCP packets we don't want.
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

# Special OUTPUT rules to decide which IP's to allow.
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

# Log weird packets that don't match the above.
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

and INPUT looks like:

# allowed chain
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

# TCP rules
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 6000 -j allowed

so TCP packets from the server port 6000 are allowed.

Why this is causing a problem, I don't know.

Does anyone have a ruleset that will work?

Another development. X-Win32 allows the XDMCP client to
select a particular IP address to respond to. If you have a
local LAN and INET NIC on one machine, you can select either
the LAN interface (192.168.0.1) or your INET IP.

Is there any way to do this with XDMCP in Linux, either with
the client connect command (X -broadcast, -query, -indirect)
or in the XDM configuration on the host?

Thoreau,

I am getting a sense of what you mean. It seems that XDMCP always wants to use eth0
but I tried a little experiment.

I took down the eth0 interface (ifconfig eth0 down) and then tried to connect to my LAN box
essentially forcing XDMCP to use the eth1 inteface. I left the firewall in place thinking that it
should have no effect if I forced use of eth1. However, instead of getting the usual 'session
aborted' I got the 'too many transmissions' error message when I shut down X from the client
side after waiting for several minutes.

I then flushed the firewall and it worked again as usual.

Am I fooling myself with this little experiment? Is eth0 still able to be used? I don't think so since
the routing table entries for eth0 are removed when the interface is taken down.

This leads me to believe that the firewall is the culprit.

Incidentally, I can connect from the LAN box to the NAT box (setup for XDM) very easily. I guess
that's the way it was intended; you could surf the net from the LAN box without having to NAT
the server.

I have also tried the -from option as in X -query 192.168.0.100 -from 192.168.0.1 which also
doesn't work.

I hate to give up on this problem without a good answer so if you have any further suggestions?