[CentOS] iptables settings for X11 forwarding in CentOS 6.2

Fri Mar 29 16:29:26 UTC 2013
SilverTip257 <silvertip257 at gmail.com>

On Fri, Mar 29, 2013 at 11:34 AM, Pat Haley <phaley at mit.edu> wrote:

>
> Hi,
>
> We recently installed CentOS 6.2 on our cluster.  During
> the installation/debugging of various secondary software, we had
> disabled iptables.  When we re-enabled them, we found that the
> front-end would no longer X11 forward (although it does so
> when the iptables are off).  What do we need to set in the
> iptables to permit X11 forwarding?  Currently we're using
>

[Based on the port numbers below] You're talking about XDMCP and not SSH
X11 forwarding -- correct?

I bumped into this [0] but don't have any XDMCP setups to test with.  You
have most of the recommended ports allowed given your rules.

Might help:
"If you are using Gnome open up TCP ports 16001 and TCP 35091 in both
directions." [0]


[0] http://www.starnet.com/xwin32kb/What_ports_need_to_be_opened_for_XDMCP
[1] http://www.tldp.org/HOWTO/html_single/XDMCP-HOWTO/#PREP


Consider running tcpdump on the proper interface with the firewall disabled
for a moment to get an idea of what happens when things work.


>
>
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
>
> iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7
> --log-prefix "Dropped by firewall: "
>
> iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --dport 80 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --dport 8080 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --dport 6000 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --dport 6001 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --dport 6002 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --dport 6003 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --dport 6004 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth1 -p tcp --dport 6005 -m state --state
> NEW,ESTABLISHED -j ACCEPT
>

You can simplify your rule by specifying a port range instead of individual
rules:
iptables -A INPUT -i eth1 -p tcp --dport 6000:6005 -m state --state
NEW,ESTABLISHED -j ACCEPT


> iptables -A INPUT -i eth1 -p udp --dport 177 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth1 -p udp --dport 6000 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth1 -p udp -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> iptables -A INPUT -i eth1 -p tcp -m state --state ESTABLISHED,RELATED -j
> ACCEPT
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Pat Haley                          Email:  phaley at mit.edu
> Center for Ocean Engineering       Phone:  (617) 253-6824
> Dept. of Mechanical Engineering    Fax:    (617) 253-8125
> MIT, Room 5-213                    http://web.mit.edu/phaley/www/
> 77 Massachusetts Avenue
> Cambridge, MA  02139-4301
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
---~~.~~---
Mike
//  SilverTip257  //