I recently used the Linode documentation along with help from this list to lock down my Linode by DROP'g all INPUT and FORWARD packets and then ACCEPT'g traffic on specific ports.

Most everything works as expected except I've lost the ability to do X11 forwarding (eg. logging in with ssh -X and running things like xclock).

I noticed in /etc/services that ports 177 and 6000:6007 are related to X11.

Which chain should I enable these? I tried the INPUT chain and it didn't restore the X11 forwarding capability.

Thanks in advance for all your help.

bob

It would be more secure to use a secure tunnel, ssh in using -L or use stunnel then run vncserver and on your client connect to tunnel port on localhost with a VNC client.

Actually, re-reading your post I don't see why -X would fail as long as you can ssh in then it should work though it's not as efficient as using VNC over a secure tunnel.

I hope you're not firewalling traffic on lo/127.0.0.1?

_________________
rsk, providing useless advice on the Internet since 2005.

Bob, you can use the LOG rule to help you trouble shoot. For example:

iptables -A INPUT -j LOG --log-prefix "INPUT_DROP "

This will append the LOG rule to the end of the INPUT rules and will log each packet. So in your case I believe you have your police set to DROP, you see what will get DROP. Be aware unless you set some iptable limits your logs might fill up quickly depending upon the amount of traffic you have.

You might also take look for an iptables flow chart, that might help you figure out the flow of traffic as it transverses the iptables rules.

--
Travis

On an unrelated note, X11 forwarding is a bad idea because XDMCP falls apart with internet latencies. A suggested alternative is to use NX, which speeds up internet X11 access by orders of magnitude through the use of a proxy that optimizes access. Essentially, it compresses the session, but more importantly, it does extensive caching. This eliminates the vast majority of round-trip delays, greatly improving performance.