Bug 102556 - iptables breaks gnome
iptables breaks gnome
Product: Red Hat Linux
Classification: Retired
Component: gnome-session (Show other bugs)
athlon Linux
medium Severity medium
: ---
: ---
Assigned To: Mark McLoughlin
Depends On:
  Show dependency treegraph
Reported: 2003-08-17 16:49 EDT by Derek
Modified: 2007-04-18 12:56 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-10-15 18:34:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Derek 2003-08-17 16:49:17 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225

Description of problem:
Iptables breaks gnome.

I setup iptables on my workstation to only accept new connections on port 22,
because the only remove connection I want to setup on my box is ssh.  Then ,when
I try to start X11 with Gnome it gives me this message.   It just hung showing
the starting redhat box.  However KDE worked fine.


XFree86 Version 4.3.0 (Red Hat Linux release: 4.3.0-2)
Release Date: 27 February 2003
X Protocol Version 11, Revision 0, Release 6.6
Build Operating System: Linux 2.4.20-3bigmem i686 [ELF]
Build Date: 27 February 2003
Build Host: porky.devel.redhat.com

        Before reporting problems, check http://www.XFree86.Org/
        to make sure that you have the latest version.
Module Loader present
OS Kernel: Linux version 2.4.20-19.9 (bhcompile@daffy.perf.redhat.com) (gcc
version 3.2.2 20030222 (Red Hat Linux 3.2.2-5)) #1 Tue Jul 15 17:03:30 EDT 2003 P
Markers: (--) probed, (**) from config file, (==) default setting,
         (++) from command line, (!!) notice, (II) informational,
         (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(==) Log file: "/var/log/XFree86.1.log", Time: Sun Aug 17 15:28:30 2003
(==) Using config file: "/etc/X11/XF86Config"

(II) [GLX]: Initializing GLX extension
GetModeLine - scrn: 0 clock: 108000
GetModeLine - hdsp: 1280 hbeg: 1328 hend: 1440 httl: 1688
              vdsp: 1024 vbeg: 1025 vend: 1028 vttl: 1066 flags: 5
X connection to :1.0 broken (explicit kill or server shutdown).
xinit:  connection to X server lost.

I tried to find where SESSION_MANAGER was set and my find command returned
nothing.   I tried typing the following before starting X,

And I got the same error.

here is the output from my iptables  -L


Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  anywhere             anywhere           state INVALID
DROP       udp  --  anywhere             anywhere           state INVALID
DROP       icmp --  anywhere             anywhere           state INVALID
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
DROP       tcp  --  anywhere             anywhere           state NEW
DROP       tcp  --  anywhere             anywhere           state NEW
DROP       udp  --  anywhere             anywhere           state NEW

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp spt:ssh
DROP       tcp  --  anywhere             anywhere           tcp spts:tcpmux:1024

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.Set iptables rules as described above.
2.Log out of X11
3.Select Gnome Session in GDM
4.Login and gnome will hang.

Actual Results:  Gnome hangs untill killed.

Expected Results:  Gnome should start normally.

Additional info:

No problem with these IPTABLES settingings and KDE.
Comment 1 Havoc Pennington 2003-10-15 18:34:06 EDT
We believe the issue is that you are not allowing lo through.
Something like -i lo -j ACCEPT I guess

Try redhat-config-securitylevel for a base sane configuration and modify from
there perhaps.

You may want to post your /etc/sysconfig/iptables to fedora-list/redhat-list or 
ask your support rep about it.

Note You need to log in before you can comment on or make changes to this bug.