LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 10-13-2007, 12:54 PM   #1
bowens44
LQ Newbie
 
Registered: Aug 2005
Posts: 25

Rep: Reputation: 15
X11 forwarding and Iiptables


I hope that I posted this in the correct the place.

Please excuse the typo in the subject - should of course be iptables

I am trying to set up X11 forwarding so that I can access some apps on my Linux box from my windows XP box on my home network. With iptables active , I can use putty to ssh into the box and login etc. With iptables flushed, I can use putty and xming from the windows box to launch apps on my linux box. This works perfectly. The trouble is that if I am using iptables, I get an error saying 'cannot connect to xserver localhost:10.0'.

I am pretty sure that I'm missing something in iptables. I am rather new at this so I'm not sure how to resolve this issue. I did several searchs at several places but had no luck.

Here's my iptables:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -s 192.168.5.100 -d 192.168.5.101 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 127.0.0.1 -d 192.168.5.101 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.5.0/24 -p udp -m state --state NEW -j ACCEPT
-A INPUT -d 192.168.5.101 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d 192.168.5.101 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -d 192.168.5.101 -p icmp -j ACCEPT
-A INPUT -s 192.168.5.100 -d 192.168.5.101 -p tcp -m tcp --dport 5900:5905 -j ACCEPT
-A INPUT -s 192.168.5.0/24 -d 192.168.5.101 -p udp --dport 137:138 -j ACCEPT
-A INPUT -s 192.168.5.0/24 -d 192.168.5.101 -p tcp --dport 139 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT

Thanks for your help!

Last edited by bowens44; 10-13-2007 at 02:47 PM. Reason: correct typo
 
Old 10-14-2007, 10:49 AM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Quote:
Originally Posted by bowens44 View Post
I get an error saying 'cannot connect to xserver localhost:10.0'.
I believe you have localhost (127.0.0.1) blocked which prevents your application from communicating to the proxy xserver. Usually I have a rule at the top of my INPUT chain that accepts all loopback unless there is a particular reason not to on the particular box:

Code:
iptables -A INPUT -i lo -j ACCEPT
BTW, I am not sure what the purpose of the following is:

Code:
-A INPUT -s 127.0.0.1 -d 192.168.5.101 -j ACCEPT
I am not sure that rule would ever be matched. Usually something with a source address of 127.0.0.1 will also have a destination address of 127.0.0.1. Am I missing something?
 
Old 10-14-2007, 12:17 PM   #3
bowens44
LQ Newbie
 
Registered: Aug 2005
Posts: 25

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by blackhole54 View Post
I believe you have localhost (127.0.0.1) blocked which prevents your application from communicating to the proxy xserver. Usually I have a rule at the top of my INPUT chain that accepts all loopback unless there is a particular reason not to on the particular box:

iptables -A INPUT -i lo -j ACCEPT
When I use this, and do an iptables -L for this line it says:
ACCEPT all -- anywhere anywhere

Can you explain to me exactly what this does? It works but I'm not sure that I understand why.

Quote:
BTW, I am not sure what the purpose of the following is:

-A INPUT -s 127.0.0.1 -d 192.168.5.101 -j ACCEPT
I am not sure that rule would ever be matched. Usually something with a source address of 127.0.0.1 will also have a destination address of 127.0.0.1. Am I missing something?
I don't know exactly. I'm new to this. I got this from a web site that told how to build a basic iptables setup. It said that this allowed any traffic from localhost.

I really appriciate your help. Thank you.
 
Old 10-14-2007, 01:28 PM   #4
ray_80
Member
 
Registered: Oct 2007
Posts: 75

Rep: Reputation: 15
Have you tried VNC?
 
Old 10-14-2007, 03:14 PM   #5
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Quote:
Originally Posted by bowens44 View Post
When I use this, and do an iptables -L for this line it says:
ACCEPT all -- anywhere anywhere
The reason it says "anywhere anywhere" is because there are no source or destination IP addresses specified in the rule. If you tell it to be verbose with the -v option, it will also list (among other things) the interface this rule applies to if it is restricted to a particular interface. And the interface (loopback aka lo) is the only thing the rule I gave you specified. The loopback interface is how the computer "talks to itself" using addresses 127.xx.xx.xx, most frequently the address 127.0.0.1. When I list iptables rules I like to use specify the options -nvL. In addition to being verbose, it lists address and ports numerically. This is a matter of personal taste and you can obviously do as you wish.


Quote:
I don't know exactly. I'm new to this. I got this from a web site that told how to build a basic iptables setup. It said that this allowed any traffic from localhost.
To my knowledge the advice is wrong. If you can provide a link where you got that, maybe I or somebody else can comment further on it.

Since you are learning, you might want to take a look at the LQ Wiki article for configuring a basic workstation firewall The firewall listed there uses the localhost address instead of the loopback interface like the rule I showed you. Personally I think you're better of referring to the interface, but if you use decide you wish to use the address I suggest using the range of addresses 127.0.0.0/8 instead of the single address 127.0.0.1.

Edit: I am not sure I was detailed enough in explaining why the rule fixed things. On the remote machine, there is a "proxy X server" running which to your application looks like a real X server. Your application needs to communicate to the proxy server over the loopback interface using the address of localhost (127.0.0.1). Your original rules did not allow these packets to flow. The rule I gave accepts all packets on the loopback interface, so these packets are allowed to flow.

Last edited by blackhole54; 10-14-2007 at 03:24 PM.
 
Old 10-15-2007, 06:50 PM   #6
bowens44
LQ Newbie
 
Registered: Aug 2005
Posts: 25

Original Poster
Rep: Reputation: 15
blackhole54,

Thank you very much for your replies. They helped a lot. I need to do some more reading but I with your help, I was able to get past this issue.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
X11 forwarding BigNate Linux - Software 16 06-21-2011 02:39 AM
X11 Forwarding BlueTornJacket Linux - Server 11 03-12-2007 06:00 PM
X11 forwarding paul_mat Linux - Newbie 3 12-12-2004 07:30 PM
X11 forwarding JanDeMan Mandriva 1 04-17-2004 10:02 PM
Need Help with X11 forwarding phatboyz Linux - General 3 04-16-2004 04:17 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 10:50 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration