ssh/X tunneling through remote firewall

Fred Ramsing framsing@unr.edu
Mon Sep 10 15:06:00 GMT 2001 

This is really a question about ssh rather than about cygwin-xfree
development, but I'd really appreciate any help.

I recently installed cygwin-xfree for Window$98.  I can successfully
connect from the Win98 PC via ssh to my Linux box, but I cannot run
X-clients under the cygwin-xfree86 X-server when the firewall on the
remote Linux box is running.  I believe this is because I am not
implementing X tunnelling properly through ssh.  The X-clients do run
properly when the remote host firewall is down.  Note that there is no
firewall on the localhost running cygwin-xfree86.  I am doing a variant of
the following from an cywin-xfree xterm:

$> xhost +
$> ssh login_name@remotehost_ip
enter password
$> export DISPLAY=localhost_ip:0.0
$> xterm &                       # or some other x program
and I receive the error: Can't open display: localhost_ip:0.0

Furthermore, I am evaluating copies of StarNet X-Win32 and F-Secure SSH
and with these products I can run X-clients through the remote firewall
without any problems, because F-Secure SSH has an option, which I enabled,
that allows X11 tunneling.

Can anyone tell me how to implement X11 tunneling using the ssh version
distributed with cygwin?


In case anyone is wondering why I'm trying to run X through a firewall -
we are on a DSL network with DHCP and without a firewall separating our
LAN from the ISP.  I am using iptables on the Linux box with the following
modified entries tied to MAC addresses for our Window$98 machines.  In
short, the following ports are open only for the machines with the correct
MAC address:

ssh	22
samba	137:139
xdmcp	177
x11	6000:6063

-A INPUT -s subnet/mask -p tcp -m mac --mac mac_address -m tcp
--dport 137:139 -j ACCEPT
-A INPUT -s subnet/mask -p udp -m mac --mac mac_address -m udp
--dport 137:139 -j ACCEPT
-A INPUT -s subnet/mask -p tcp -m mac --mac mac_address -m tcp
--dport 22 -j ACCEPT
-A INPUT -s subnet/mask -p tcp -m mac --mac mac_address -m tcp
--dport 177 -j ACCEPT
-A INPUT -s subnet/mask -p tcp -m mac --mac mac_address -m tcp
--dport 6000:6063 -j ACCEPT

So, of course I know that the best thing to do in the long run is to put a
firewall in between our LAN and the DSL modem, but my boss is too cheap to
buy a hardware firewall and I haven't had the time to setup a cheap
diskless firewall or figure out how to best implement NAT.  Hence the need
to run iptables with support for MAC matching instead of IP address
matching.


Fred

More information about the Cygwin-xfree mailing list