X11 forwarding and iptables

It would be more secure to use a secure tunnel, ssh in using -L or use stunnel then run vncserver and on your client connect to tunnel port on localhost with a VNC client.

Actually, re-reading your post I don't see why -X would fail as long as you can ssh in then it should work though it's not as efficient as using VNC over a secure tunnel.

I hope you're not firewalling traffic on lo/127.0.0.1?

Bob, you can use the LOG rule to help you trouble shoot. For example:

iptables -A INPUT -j LOG –log-prefix "INPUT_DROP "

This will append the LOG rule to the end of the INPUT rules and will log each packet. So in your case I believe you have your police set to DROP, you see what will get DROP. Be aware unless you set some iptable limits your logs might fill up quickly depending upon the amount of traffic you have.

You might also take look for an iptables flow chart, that might help you figure out the flow of traffic as it transverses the iptables rules.

--

Travis

On an unrelated note, X11 forwarding is a bad idea because XDMCP falls apart with internet latencies. A suggested alternative is to use NX, which speeds up internet X11 access by orders of magnitude through the use of a proxy that optimizes access. Essentially, it compresses the session, but more importantly, it does extensive caching. This eliminates the vast majority of round-trip delays, greatly improving performance.