On Sat, Jan 20, 2018 at 07:58:27PM +0100, Pascal Hambourg wrote: > Le 20/01/2018 à 19:13, Jason a écrit : > > > >I am trying to setup (what should be) a simple iptables table > > I don't think so. In iptables, "tables" are preexisting data structures > containing chains, and chains contain rules that you create. The set of > rules in these chains and tables is called, well, a ruleset.
Thanks for the clarification. This is my first experience using iptables and my knowledge of it is elementary at best. > > >between > >two machines on a local network, both with static IP addresses. > > Nonsense. A ruleset is set up on one machine, not between two machines. I had thought after I wrote it that the wording probably wasn't correct. > > >The machine I want to set up the iptables on > > As I wrote : on one machine. > > >is a headless server which I > >access using ssh. I want to cut off all communications except with the > >machine I ssh from. > > I guess you use X tunnelling with ssh -X or -Y ? Yes, with -X. > >What I did works except when I try to run a GUI > >program on the server to display locally, after a pause I get > >something like: > > > > Geany: cannot open display > >or > > xterm: Xt error: Can't open display: localhost:10.0 > > > >both of which work before I run the iptables commands. > > > >Here's what I did (000.000.000.000 is substituted for actual IP > >address of client machine): > > You really should not use that kind of address for substitution. 0.0.0.0 has > a special meaning. You could use addresses in 192.0.2.0/24 which are > reserved for examples and documentation instead. Okay, making a note of it. > >$ sudo iptables -A INPUT -s 000.000.000.000 -j ACCEPT > >$ sudo iptables -A OUTPUT -d 000.000.000.000 -j ACCEPT > >$ sudo iptables -P INPUT DROP > >$ sudo iptables -P OUTPUT DROP > > > >I also tried to add > > > >$ sudo iptables -A INPUT -i lo -j ACCEPT > > > >without success. > > > >What do I need to do to get X forwarding to work? > > Add > > iptables -A OUTPUT -o lo -j ACCEPT That works, thanks a lot Pascal! > > Note that this ruleset allows much more than just SSH and X forwarding > between the two machines. Which is fine in this case. Thanks again! -- Jason