So I had to set up a firewall for a box at work. The firewall should only allow inbound SSH connections from specific IPs within the LAN, and outbound connections to the LAN. Ok.

Well easy peasy, I get my nice iptables script courtesy of Dan Robbins, alter the default policy for the OUTPUT chain to DROP, add in the rules to allow traffic towards the LAN, and off we go!

All is well, except… X11 forwarding doesn’t work. I double-check: firewall off = OK, firewall on = KO. Meh.

And so after a frustrating hour of trial-and-error-and-google later, I finally learn that X forwarding needs to be allowed outbound connections on the loopback interface. Obviously.

And by the way: no, it’s not spelled iptables -A OUTPUT -i lo -j ACCEPT. It’s spelled iptables -A OUTPUT -o lo -j ACCEPT. -i stands for --in-interface, not --interface. Duh.