[CentOS] iptables settings for X11 forwarding in CentOS 6.2

Hi,

Actually we're talking about both SSH and XDMCP X11 forwarding.
Both seem to be currently disabled by the iptables.

We'll try out what you suggest and get back with the results.
Thanks.

Pat


> On Fri, Mar 29, 2013 at 11:34 AM, Pat Haley <phaley at mit.edu> wrote:
> 
>> Hi,
>>
>> We recently installed CentOS 6.2 on our cluster.  During
>> the installation/debugging of various secondary software, we had
>> disabled iptables.  When we re-enabled them, we found that the
>> front-end would no longer X11 forward (although it does so
>> when the iptables are off).  What do we need to set in the
>> iptables to permit X11 forwarding?  Currently we're using
>>
> 
> [Based on the port numbers below] You're talking about XDMCP and not SSH
> X11 forwarding -- correct?
> 
> I bumped into this [0] but don't have any XDMCP setups to test with.  You
> have most of the recommended ports allowed given your rules.
> 
> Might help:
> "If you are using Gnome open up TCP ports 16001 and TCP 35091 in both
> directions." [0]
> 
> 
> [0] http://www.starnet.com/xwin32kb/What_ports_need_to_be_opened_for_XDMCP
> [1] http://www.tldp.org/HOWTO/html_single/XDMCP-HOWTO/#PREP
> 
> 
> Consider running tcpdump on the proper interface with the firewall disabled
> for a moment to get an idea of what happens when things work.
> 
> 
>>
>> iptables -P INPUT DROP
>> iptables -P FORWARD DROP
>> iptables -P OUTPUT ACCEPT
>>
>> iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7
>> --log-prefix "Dropped by firewall: "
>>
>> iptables -A INPUT -i eth1 -p tcp --dport 22 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -i eth1 -p tcp --dport 80 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -i eth1 -p tcp --dport 8080 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -i eth1 -p tcp --dport 6000 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -i eth1 -p tcp --dport 6001 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -i eth1 -p tcp --dport 6002 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -i eth1 -p tcp --dport 6003 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -i eth1 -p tcp --dport 6004 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -i eth1 -p tcp --dport 6005 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>>
> 
> You can simplify your rule by specifying a port range instead of individual
> rules:
> iptables -A INPUT -i eth1 -p tcp --dport 6000:6005 -m state --state
> NEW,ESTABLISHED -j ACCEPT
> 
> 
>> iptables -A INPUT -i eth1 -p udp --dport 177 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -i eth1 -p udp --dport 6000 -m state --state
>> NEW,ESTABLISHED -j ACCEPT
>> iptables -A INPUT -i eth1 -p udp -m state --state ESTABLISHED,RELATED -j
>> ACCEPT
>> iptables -A INPUT -i eth1 -p tcp -m state --state ESTABLISHED,RELATED -j
>> ACCEPT
>>
>> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>> Pat Haley                          Email:  phaley at mit.edu
>> Center for Ocean Engineering       Phone:  (617) 253-6824
>> Dept. of Mechanical Engineering    Fax:    (617) 253-8125
>> MIT, Room 5-213                    http://web.mit.edu/phaley/www/
>> 77 Massachusetts Avenue
>> Cambridge, MA  02139-4301
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
> 
> 
> 


-- 

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Pat Haley                          Email:  phaley at mit.edu
Center for Ocean Engineering       Phone:  (617) 253-6824
Dept. of Mechanical Engineering    Fax:    (617) 253-8125
MIT, Room 5-213                    http://web.mit.edu/phaley/www/
77 Massachusetts Avenue
Cambridge, MA  02139-4301