X11 forwarding over SSH on firewalled CentOS host

I had a few issues with X11 forwarding over SSH on one of my CentOS hosts. After a bit of fiddling, I discovered that there were a couple of things I hadn’t taken into account.

I’d set my putty session up to allow X11 fowarding, and set the X display location to “localhost”. On the server, I installed xclock and its dependencies for testing, and set the following in /etc/ssh/sshd_config:

X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

I restarted sshd, however this still wasn’t working.

In short, I was missing two things:

1) xauth wasn’t installed. This is required!
2) I wasn’t allowing connections to localhost in my iptables config. This was fixed in my ruleset with:

iptables -A INPUT -i lo -j ACCEPT

sshd was restarted after installing xauth and adding the firewall rule and it now works a treat!

Tagged , , . Bookmark the permalink.

3 Responses to X11 forwarding over SSH on firewalled CentOS host

  1. Cody says:

    Hey mate! Good to see you still writing. Hope all is well (including the gliding).

    Just a comment: it’s actually a good idea to ACCEPT all input output and forward for iface lo. I can’t think of any specific example (though you’ve found one) but I seem to recall many different things can break if you don’t allow localhost (of course if you by chance have other rules you should rather insert at the top the lo rules at least for efficiency reasons if not also the fact if there are other rules which don’t consider interface and there is e.g. a REJECT).

    Of course it’s a bad idea to accept packets claiming to be a public IP on a public interfaces (or private IPs on a public interfaces), but that’s another matter entirely and one which you surely know (as you probably know the other point but had an oversight).

    Incidentally for future reference: you shouldn’t need to restart a service once a firewall rule allows access to it (maybe do need for xauth though) (the socket listening won’t even see the client socket before iptables sees it).

    • Sol says:

      Hi mate, yes this is near the top of the ruleset now – I use a file which I edit and then import with iptables-restore rather than just appending rules. I just find it easier to manage that way. :)

      In this case, the sshd service needed restarting but it wasn’t related to the firewall rules, just the fact that xauth had been installed.

      • Cody says:

        Actually I have my own script which amongst other things does:

        – Set specific sysctl settings to do with networking (icmp, tcp, etc.) just because I find it a convenient place (since they’re to do with security I figure I can just run sysctl).

        – Clear tables/initialise tables/add rules etc. If I referred to appending I of course meant the -A option. :)

        – Save (by way of iptables and ip6tables services).

        Basically the same as you only I clear the tables out first and automate it all. This is also useful with a multi-homed host (not just private netblocks but also a /29) as I can use shell ‘for’ etc. (and can have a list of ports for different addresses and interfaces for example). But we all have different ways of doing things and I find this works best for me. As you put it: in Unix there are many ways to skin `cat’ (though I believe you added ‘a’ or ‘the’ before ‘cat’).

        My script also deals with ip6tables (though it’s crap 6rd but I’m also too lazy to remove all ipv6 IPs from glue records so I figure I should keep ipv6 enabled so sort of need ip6tables).

        Hope you’re doing well!

Leave a Reply

Your email address will not be published. Required fields are marked *