It is true that connections to remote X Window servers should be always made over SSH. SSH supports X windows connections. So my task was allow X over ssh but block unprivileged X windows mangers TCP ports. The first running server (or display) use TCP port 6000. Next server will use 6001 and so on [...]
Iptables has a special module called owner (ipt_owner), which is attempts to match various characteristics of the packet creator, for locally generated packets. It is valid in the OUTPUT and POSTROUTING chains.
I use ADSL at home via ISP modem. As soon as my eth0 comes up I would like to have my firewall script get executed and setup the iptables firewall rules for me.