# Connect to X via XDMCP

## petrjanda

The server is located in a nat'd network. And I am trying to connect to it from the internet. eth0 is the external interface, eth1 is the internal interface.

My shorewall rule is this:

```

DNAT            net     loc:192.168.1.70      tcp      6000:6020

DNAT            net     loc:192.168.1.70      udp      177

```

But it doesn't work  :Sad: 

Any ideas?

It works from the local network, but not from the internet.

----------

## adaptr

That doesn't tell me much about the rules - I don't know shorewall.

What does

```
iptables -t nat -L
```

say ?

----------

## grant.mcdorman

You also need to be sure that the target machine has the appropriate ports open. By default, XDMCP is off for most display managers; post which one you're using (xdm, kdm, gdm) and we can tell you how to enable XDMCP.

I'd suggest getting XDMCP working internally first, and then try to get it working through the firewall.

Further, where is the display? Using XDMCP implies that the display is outside your local network, but your firewall rules are allowing the whole web to try to connect to the X display on the internal machine. From your description, that is not what you want to do.

For XDMCP with a remote display, you need the inbound UDP port 177; port 60xx is outbound.

Overall, though, this is not very secure; the X display traffic is poorly secured and has had sigificant vunerablities. A more secure solution is to use ssh with X forwarding.

----------

## petrjanda

 *adaptr wrote:*   

> That doesn't tell me much about the rules - I don't know shorewall.
> 
> What does
> 
> ```
> ...

 

```

root@a216server: pts/0: 2 files 1009Kb -> iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination

chs_dnat   all  --  anywhere             anywhere

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination

eth0_masq  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination

Chain chs_dnat (1 references)

target     prot opt source               destination

DNAT       tcp  --  anywhere             anywhere            tcp dpts:6000:6020 to:192.168.1.70

DNAT       udp  --  anywhere             anywhere            udp dpt:xdmcp to:192.168.1.70

Chain eth0_masq (1 references)

target     prot opt source               destination

MASQUERADE  all  --  192.168.1.0/30       anywhere

MASQUERADE  all  --  192.168.1.64/26      anywhere

```

Note that the actual network Im trying to connect from is not "net", but "chs" in shorewall. I changed it in my first post for simplicity

----------

## petrjanda

 *grant.mcdorman wrote:*   

> You also need to be sure that the target machine has the appropriate ports open. By default, XDMCP is off for most display managers; post which one you're using (xdm, kdm, gdm) and we can tell you how to enable XDMCP.
> 
> I'd suggest getting XDMCP working internally first, and then try to get it working through the firewall.
> 
> 

 

It works internally! But not from outside.

 *Quote:*   

> 
> 
> Further, where is the display? Using XDMCP implies that the display is outside your local network, but your firewall rules are allowing the whole web to try to connect to the X display on the internal machine. From your description, that is not what you want to do.
> 
> 

 

Sorry, i made it confusing, the whole "net" is just another network that has internet connection.

 *Quote:*   

> 
> 
> For XDMCP with a remote display, you need the inbound UDP port 177; port 60xx is outbound.
> 
> 

 

Ok, so if I run Cygwin/X it transmits on UDP 177, and receives on UDP 60xx? Or tcp? or the other way around?

 *Quote:*   

> 
> 
> Overall, though, this is not very secure; the X display traffic is poorly secured and has had sigificant vunerablities. A more secure solution is to use ssh with X forwarding.

 

I just want to get this working without making it more difficult.

----------

## grant.mcdorman

The XDMCP port is on the machine you're logging in to; that's UDP port 177. The X display port (60xx) is on the machine that is running the X server (i.e. where the display is).

If I understand your description correctly, the XDMCP server (the machine you want to login to) is inside the firewall. Therefore, you need to forward UDP port 177 as you have done. You also need to allow port 60xx outbound (no NAT required); presumably you don't have outbound restrictions?

Having said that, you also need to set the X server to directly query the firewall, i.e.:

```
XWin -query firewall-name ... other options ...
```

 As far as I know, broadcast won't work; I don't think the firewall will do NAT translation for broadcasts. You need to use the firewall name (or IP address) since that's all the X server can see.

You can also do a weak bit of security by changing the XDMCP port to some obscure port in the firewall NAT translation, and use the -port port-num option on the X server command line.

----------

## petrjanda

 *grant.mcdorman wrote:*   

> The XDMCP port is on the machine you're logging in to; that's UDP port 177. The X display port (60xx) is on the machine that is running the X server (i.e. where the display is).
> 
> 

 

So the Solaris machine has the XDMCP port, and Cygwin/X is the X server(the display), right?

 *Quote:*   

> 
> 
> If I understand your description correctly, the XDMCP server (the machine you want to login to) is inside the firewall. Therefore, you need to forward UDP port 177 as you have done. You also need to allow port 60xx outbound (no NAT required); presumably you don't have outbound restrictions?
> 
> 

 

I do have outbound restrictions on the firewall, it rejects all outbound trafic unless specified to allow it. So that means, I need to an outbound rule from the firewall to external network? Or from the local network to the external? Or Both?

----------

## grant.mcdorman

You need both open. Thus, you'll need 6000/TCP outbound (from the Solaris machine to the Windows/Cygwin) and 177/UDP inbound (from the Windows/Cygwin machine to the Solaris machine). (6000 should suffice: that's display 0 - you won't need any more unless you plan on running multiple X servers on the same Windows/Cygwin machine.)

Note that if a network on either side of the firewall is not trusted, then this is not a terribly secure solution (X traffic is too easy to watch).

Also note that Cygwin/X may have problems doing XDMCP to some machines; apparently there are ways of getting around it, although I don't recall what they were offhand. I can try at work tomorrow if I have time, as I have a Windows machine and a Solaris 8 machine sitting next to each other on my desk.

----------

## petrjanda

 *grant.mcdorman wrote:*   

> You need both open. Thus, you'll need 6000/TCP outbound (from the Solaris machine to the Windows/Cygwin) and 177/UDP inbound (from the Windows/Cygwin machine to the Solaris machine).
> 
> 

 

I need to understand this. Correct me if I say it wrong, when I start the session on the Windows/Cygwin machine, it connects to the firewall, then the firewall, because of the NAT rule, sends the port 177 UDP traffic to the Solaris machine. Now the question is, does the solaris machine reply to the firewall or directly to the cygwin machine? Doesn't NAT rewrite the IP headers? Wouldn't it mean that I have to open TCP 6000 port between the Solaris machine and firewall, and between the firewall and the Cygwin machine(2 separate rules), or is 1 rule for port 6000 sufficient, thus between the Solaris machine on the local network and Cygwin machine. Next, question concerning NAT rule, does it automatically open the port or do I need another ACCEPT rule just for the inbound trafic?

----------

## grant.mcdorman

 *petrjanada wrote:*   

> Correct me if I say it wrong, when I start the session on the Windows/Cygwin machine, it connects to the firewall, then the firewall, because of the NAT rule, sends the port 177 UDP traffic to the Solaris machine. 

 Correct. *petrjanada wrote:*   

> Now the question is, does the solaris machine reply to the firewall or directly to the cygwin machine? Doesn't NAT rewrite the IP headers?

 The Solaris machine replies to the source of the packet, which is an arbitrary UDP port on the Windows/Cygwin machine. NAT does rewrite the IP headers, but there's basically still information there as to the orginal source. Note, by the way, that this can be used in spoofing: it's possible for a packet to lie about its original origin (i.e. machine A sends a packet which causes a reply to machine B).

However, thinking about it it may get tricky allowing the reply packet back out your firewall, since UDP is connectionless. The firewall should, by default, have an iptables rule that looks like this: (output of iptables -L -v -n)

```
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

```

Shorewall does this automatically, as far as I know.

This should recognize the outbound UDP reply as related to the just-received inbound on port 177, and allow it through. If not, you need to allow outbound UDP with an originating port of 177. That would look like this for Shorewall (/etc/shorewall/rules):

```
ACCEPT loc net udp - 177
```

(warning: not tested).

Once the XDMCP session is established via port 177, xdm (well, dtlogin on Solaris) connects to port 6000 on the Windows/Cygwin machine. Since this is TCP, it it's connection-oriented; further, it's not "related" to the XDMCP messages (at least as far as the firewall is concerned). This means you need one firewall rule to allow connections from inside to port 6000 outside:

```
ACCEPT loc net tcp - 6000
```

Note that these rules could be further tightened if one or both of the machines participating are at fixed IP addresses.

One further point: the subnet inside the firewall must be different than the subnet outside. If the IP address of the Windows/Cygwin machine could be interpreted as being inside the firewall, the Solaris machine won't send its packets to the firewall for routing, but just try to find a local machine.

----------

## petrjanda

 *grant.mcdorman wrote:*   

>  *petrjanada wrote:*   Correct me if I say it wrong, when I start the session on the Windows/Cygwin machine, it connects to the firewall, then the firewall, because of the NAT rule, sends the port 177 UDP traffic to the Solaris machine.  Correct. *petrjanada wrote:*   Now the question is, does the solaris machine reply to the firewall or directly to the cygwin machine? Doesn't NAT rewrite the IP headers? The Solaris machine replies to the source of the packet, which is an arbitrary UDP port on the Windows/Cygwin machine. NAT does rewrite the IP headers, but there's basically still information there as to the orginal source. Note, by the way, that this can be used in spoofing: it's possible for a packet to lie about its original origin (i.e. machine A sends a packet which causes a reply to machine B).
> 
> However, thinking about it it may get tricky allowing the reply packet back out your firewall, since UDP is connectionless. The firewall should, by default, have an iptables rule that looks like this: (output of iptables -L -v -n)
> 
> ```
> ...

 

Thanx a lot I understand it now, I will give it a shit when my holiday is over..heh.no uni (which is where everything is) for 2 weeks. I already knew that udp is connectionless and tcp connection-oriented, and that the subnet inside firewall must be different to the subnet outside the firewall. Heh, the server only has 4 NIC's  :Smile: 

----------

## petrjanda

It still doesnt work. My current rules in shorewall are:

```

ACCEPT            loc      chs       tcp   -  6000

ACCEPT            loc      chs       udp    -  177

DNAT              chs     loc:192.168.1.109      udp   177

```

----------

