On Fri, Mar 29, 2013 at 11:34 AM, Pat Haley <phaley at mit.edu> wrote: > > Hi, > > We recently installed CentOS 6.2 on our cluster. During > the installation/debugging of various secondary software, we had > disabled iptables. When we re-enabled them, we found that the > front-end would no longer X11 forward (although it does so > when the iptables are off). What do we need to set in the > iptables to permit X11 forwarding? Currently we're using > [Based on the port numbers below] You're talking about XDMCP and not SSH X11 forwarding -- correct? I bumped into this [0] but don't have any XDMCP setups to test with. You have most of the recommended ports allowed given your rules. Might help: "If you are using Gnome open up TCP ports 16001 and TCP 35091 in both directions." [0] [0] http://www.starnet.com/xwin32kb/What_ports_need_to_be_opened_for_XDMCP [1] http://www.tldp.org/HOWTO/html_single/XDMCP-HOWTO/#PREP Consider running tcpdump on the proper interface with the firewall disabled for a moment to get an idea of what happens when things work. > > > iptables -P INPUT DROP > iptables -P FORWARD DROP > iptables -P OUTPUT ACCEPT > > iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 > --log-prefix "Dropped by firewall: " > > iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state > NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -i eth1 -p tcp --dport 80 -m state --state > NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -i eth1 -p tcp --dport 8080 -m state --state > NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -i eth1 -p tcp --dport 6000 -m state --state > NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -i eth1 -p tcp --dport 6001 -m state --state > NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -i eth1 -p tcp --dport 6002 -m state --state > NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -i eth1 -p tcp --dport 6003 -m state --state > NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -i eth1 -p tcp --dport 6004 -m state --state > NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -i eth1 -p tcp --dport 6005 -m state --state > NEW,ESTABLISHED -j ACCEPT > You can simplify your rule by specifying a port range instead of individual rules: iptables -A INPUT -i eth1 -p tcp --dport 6000:6005 -m state --state NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -i eth1 -p udp --dport 177 -m state --state > NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -i eth1 -p udp --dport 6000 -m state --state > NEW,ESTABLISHED -j ACCEPT > iptables -A INPUT -i eth1 -p udp -m state --state ESTABLISHED,RELATED -j > ACCEPT > iptables -A INPUT -i eth1 -p tcp -m state --state ESTABLISHED,RELATED -j > ACCEPT > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > Pat Haley Email: phaley at mit.edu > Center for Ocean Engineering Phone: (617) 253-6824 > Dept. of Mechanical Engineering Fax: (617) 253-8125 > MIT, Room 5-213 http://web.mit.edu/phaley/www/ > 77 Massachusetts Avenue > Cambridge, MA 02139-4301 > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > -- ---~~.~~--- Mike // SilverTip257 //