Le 20/01/2018 à 19:13, Jason a écrit :
I am trying to setup (what should be) a simple iptables table
I don't think so. In iptables, "tables" are preexisting data structures
containing chains, and chains contain rules that you create. The set of
rules in these chains and tables is called, well, a ruleset.
between
two machines on a local network, both with static IP addresses.
Nonsense. A ruleset is set up on one machine, not between two machines.
The machine I want to set up the iptables on
As I wrote : on one machine.
is a headless server which I
access using ssh. I want to cut off all communications except with the
machine I ssh from.
I guess you use X tunnelling with ssh -X or -Y ?
What I did works except when I try to run a GUI
program on the server to display locally, after a pause I get
something like:
Geany: cannot open display
or
xterm: Xt error: Can't open display: localhost:10.0
both of which work before I run the iptables commands.
Here's what I did (000.000.000.000 is substituted for actual IP
address of client machine):
You really should not use that kind of address for substitution. 0.0.0.0
has a special meaning. You could use addresses in 192.0.2.0/24 which
are reserved for examples and documentation instead.
$ sudo iptables -A INPUT -s 000.000.000.000 -j ACCEPT
$ sudo iptables -A OUTPUT -d 000.000.000.000 -j ACCEPT
$ sudo iptables -P INPUT DROP
$ sudo iptables -P OUTPUT DROP
I also tried to add
$ sudo iptables -A INPUT -i lo -j ACCEPT
without success.
What do I need to do to get X forwarding to work?
Add
iptables -A OUTPUT -o lo -j ACCEPT
Note that this ruleset allows much more than just SSH and X forwarding
between the two machines.
