I hope that I posted this in the correct the place.

Please excuse the typo in the subject - should of course be iptables

I am trying to set up X11 forwarding so that I can access some apps on my Linux box from my windows XP box on my home network. With iptables active , I can use putty to ssh into the box and login etc. With iptables flushed, I can use putty and xming from the windows box to launch apps on my linux box. This works perfectly. The trouble is that if I am using iptables, I get an error saying 'cannot connect to xserver localhost:10.0'.

I am pretty sure that I'm missing something in iptables. I am rather new at this so I'm not sure how to resolve this issue. I did several searchs at several places but had no luck.

Here's my iptables:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -s 192.168.5.100 -d 192.168.5.101 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 127.0.0.1 -d 192.168.5.101 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.5.0/24 -p udp -m state --state NEW -j ACCEPT
-A INPUT -d 192.168.5.101 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d 192.168.5.101 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -d 192.168.5.101 -p icmp -j ACCEPT
-A INPUT -s 192.168.5.100 -d 192.168.5.101 -p tcp -m tcp --dport 5900:5905 -j ACCEPT
-A INPUT -s 192.168.5.0/24 -d 192.168.5.101 -p udp --dport 137:138 -j ACCEPT
-A INPUT -s 192.168.5.0/24 -d 192.168.5.101 -p tcp --dport 139 -j ACCEPT

-A INPUT -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT

Thanks for your help!

I believe you have localhost (127.0.0.1) blocked which prevents your application from communicating to the proxy xserver. Usually I have a rule at the top of my INPUT chain that accepts all loopback unless there is a particular reason not to on the particular box:

BTW, I am not sure what the purpose of the following is:

I am not sure that rule would ever be matched. Usually something with a source address of 127.0.0.1 will also have a destination address of 127.0.0.1. Am I missing something?

When I use this, and do an iptables -L for this line it says:
ACCEPT all -- anywhere anywhere

Can you explain to me exactly what this does? It works but I'm not sure that I understand why.

I don't know exactly. I'm new to this. I got this from a web site that told how to build a basic iptables setup. It said that this allowed any traffic from localhost.

I really appriciate your help. Thank you.

Have you tried VNC?

The reason it says "anywhere anywhere" is because there are no source or destination IP addresses specified in the rule. If you tell it to be verbose with the -v option, it will also list (among other things) the interface this rule applies to if it is restricted to a particular interface. And the interface (loopback aka lo) is the only thing the rule I gave you specified. The loopback interface is how the computer "talks to itself" using addresses 127.xx.xx.xx, most frequently the address 127.0.0.1. When I list iptables rules I like to use specify the options -nvL. In addition to being verbose, it lists address and ports numerically. This is a matter of personal taste and you can obviously do as you wish.


To my knowledge the advice is wrong. If you can provide a link where you got that, maybe I or somebody else can comment further on it.

Since you are learning, you might want to take a look at the LQ Wiki article for configuring a basic workstation firewall The firewall listed there uses the localhost address instead of the loopback interface like the rule I showed you. Personally I think you're better of referring to the interface, but if you use decide you wish to use the address I suggest using the range of addresses 127.0.0.0/8 instead of the single address 127.0.0.1.

Edit: I am not sure I was detailed enough in explaining why the rule fixed things. On the remote machine, there is a "proxy X server" running which to your application looks like a real X server. Your application needs to communicate to the proxy server over the loopback interface using the address of localhost (127.0.0.1). Your original rules did not allow these packets to flow. The rule I gave accepts all packets on the loopback interface, so these packets are allowed to flow.

blackhole54,

Thank you very much for your replies. They helped a lot. I need to do some more reading but I with your help, I was able to get past this issue.