On Sat, 20 Jan 2018 12:13:12 -0600 Jason <elect...@emypeople.net> wrote:
> Hi, > > I am trying to setup (what should be) a simple iptables table between > two machines on a local network, both with static IP addresses. The > machine I want to set up the iptables on is a headless server which I > access using ssh. I want to cut off all communications except with the > machine I ssh from. What I did works except when I try to run a GUI > program on the server to display locally, after a pause I get > something like: > > Geany: cannot open display > or > xterm: Xt error: Can't open display: localhost:10.0 > > both of which work before I run the iptables commands. OK, that leaves little doubt that it's a firewall issue. > > Here's what I did (000.000.000.000 is substituted for actual IP > address of client machine): > > $ sudo iptables -A INPUT -s 000.000.000.000 -j ACCEPT > $ sudo iptables -A OUTPUT -d 000.000.000.000 -j ACCEPT > $ sudo iptables -P INPUT DROP > $ sudo iptables -P OUTPUT DROP > > I also tried to add > > $ sudo iptables -A INPUT -i lo -j ACCEPT You'll also want a lo ACCEPT in the OUTPUT chain. > > without success. > > What do I need to do to get X forwarding to work? > Others may know the exact answer in this case. I'll make couple of suggestions for future iptables issues. 1. Take one of the very basic firewall scripts (there are many around) that works statefully i.e. allows everything out, accepts established and related state replies, drops invalid packets, accepts lo in and out. Start from there, check your X forwarding works, then add IP address restrictions as required one by one. When it breaks, you know exactly what did it. 2. Use -j LOG targets with various --log-prefix values in various places to understand what's going on, generally what's being dropped by mistake. When you finish with them, comment them out but leave them there for future use. Tailor them by address and/or port to look for specific issues. In your existing case: iptables -A INPUT -j LOG --log-level debug --log-prefix "INPUT dropped:" just before the actual DROP judgement, and another for OUTPUT. It will generate a lot of stuff quite quickly, so comment it once you have some logs to examine. It's amazing what really obvious things you can overlook with a firewall, and this will identify them fairly quickly. It's a much less tedious job than using a packet capture application, which is massive overkill for simple networking problems. 3. You may be doing this without telling us here, but when you have a script to make your firewall, put in initialisation commands first, to remove any existing rules, and set overall DROP defaults in case your main iptables logic takes a wrong turn. You'll want at least the -F and -X iptables options for filter, nat and mangle tables. If you haven't disabled IPv6 altogether, you'll also need corresponding ip6tables commands, as IPv6 is wide open by default. -- Joe
