Hi,
Actually we're talking about both SSH and XDMCP X11 forwarding. Both seem to be currently disabled by the iptables.
We'll try out what you suggest and get back with the results. Thanks.
Pat
On Fri, Mar 29, 2013 at 11:34 AM, Pat Haley phaley@mit.edu wrote:
Hi,
We recently installed CentOS 6.2 on our cluster. During the installation/debugging of various secondary software, we had disabled iptables. When we re-enabled them, we found that the front-end would no longer X11 forward (although it does so when the iptables are off). What do we need to set in the iptables to permit X11 forwarding? Currently we're using
[Based on the port numbers below] You're talking about XDMCP and not SSH X11 forwarding -- correct?
I bumped into this [0] but don't have any XDMCP setups to test with. You have most of the recommended ports allowed given your rules.
Might help: "If you are using Gnome open up TCP ports 16001 and TCP 35091 in both directions." [0]
[0] http://www.starnet.com/xwin32kb/What_ports_need_to_be_opened_for_XDMCP [1] http://www.tldp.org/HOWTO/html_single/XDMCP-HOWTO/#PREP
Consider running tcpdump on the proper interface with the firewall disabled for a moment to get an idea of what happens when things work.
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT
iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall: "
iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 6000 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 6001 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 6002 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 6003 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 6004 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth1 -p tcp --dport 6005 -m state --state NEW,ESTABLISHED -j ACCEPT
You can simplify your rule by specifying a port range instead of individual rules: iptables -A INPUT -i eth1 -p tcp --dport 6000:6005 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p udp --dport 177 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth1 -p udp --dport 6000 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth1 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth1 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Pat Haley Email: phaley@mit.edu Center for Ocean Engineering Phone: (617) 253-6824 Dept. of Mechanical Engineering Fax: (617) 253-8125 MIT, Room 5-213 http://web.mit.edu/phaley/www/ 77 Massachusetts Avenue Cambridge, MA 02139-4301 _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos