On Sat, Jan 20, 2018 at 07:30:09PM +0000, Joe wrote: > On Sat, 20 Jan 2018 12:13:12 -0600 > Jason <elect...@emypeople.net> wrote: > > > Hi, > > > > I am trying to setup (what should be) a simple iptables table between > > two machines on a local network, both with static IP addresses. The > > machine I want to set up the iptables on is a headless server which I > > access using ssh. I want to cut off all communications except with the > > machine I ssh from. What I did works except when I try to run a GUI > > program on the server to display locally, after a pause I get > > something like: > > > > Geany: cannot open display > > or > > xterm: Xt error: Can't open display: localhost:10.0 > > > > both of which work before I run the iptables commands. > > OK, that leaves little doubt that it's a firewall issue. > > > > > Here's what I did (000.000.000.000 is substituted for actual IP > > address of client machine): > > > > $ sudo iptables -A INPUT -s 000.000.000.000 -j ACCEPT > > $ sudo iptables -A OUTPUT -d 000.000.000.000 -j ACCEPT > > $ sudo iptables -P INPUT DROP > > $ sudo iptables -P OUTPUT DROP > > > > I also tried to add > > > > $ sudo iptables -A INPUT -i lo -j ACCEPT > > You'll also want a lo ACCEPT in the OUTPUT chain. Which fixed my problem, see my reply to Pascal. > > > > > without success. > > > > What do I need to do to get X forwarding to work? > > > > Others may know the exact answer in this case. I'll make couple of > suggestions for future iptables issues. > > 1. Take one of the very basic firewall scripts (there are many around) > that works statefully i.e. allows everything out, accepts established > and related state replies, drops invalid packets, accepts lo in and out. > Start from there, check your X forwarding works, then add IP address > restrictions as required one by one. When it breaks, you know exactly > what did it. > > 2. Use -j LOG targets with various --log-prefix values in various > places to understand what's going on, generally what's being dropped > by mistake. When you finish with them, comment them out but leave them > there for future use. Tailor them by address and/or port to look for > specific issues. In your existing case: > > iptables -A INPUT -j LOG --log-level debug --log-prefix "INPUT dropped:" > > just before the actual DROP judgement, and another for OUTPUT. It will > generate a lot of stuff quite quickly, so comment it once you have some > logs to examine. It's amazing what really obvious things you can > overlook with a firewall, and this will identify them fairly quickly. > It's a much less tedious job than using a packet capture application, > which is massive overkill for simple networking problems. > > 3. You may be doing this without telling us here, but when you have a > script to make your firewall, put in initialisation commands first, to > remove any existing rules, and set overall DROP defaults in case your > main iptables logic takes a wrong turn. You'll want at least the -F and > -X iptables options for filter, nat and mangle tables. If you haven't > disabled IPv6 altogether, you'll also need corresponding ip6tables > commands, as IPv6 is wide open by default. >
I'm learning. Thanks for responding! -- Jason