This is the mail archive of the
cygwin-xfree@cygwin.com
mailing list for the Cygwin XFree86 project.
ssh/X tunneling through remote firewall
- To: <cygwin-xfree at sources dot redhat dot com>
- Subject: ssh/X tunneling through remote firewall
- From: Fred Ramsing <framsing at unr dot edu>
- Date: Mon, 10 Sep 2001 15:06:11 -0700 (PDT)
This is really a question about ssh rather than about cygwin-xfree
development, but I'd really appreciate any help.
I recently installed cygwin-xfree for Window$98. I can successfully
connect from the Win98 PC via ssh to my Linux box, but I cannot run
X-clients under the cygwin-xfree86 X-server when the firewall on the
remote Linux box is running. I believe this is because I am not
implementing X tunnelling properly through ssh. The X-clients do run
properly when the remote host firewall is down. Note that there is no
firewall on the localhost running cygwin-xfree86. I am doing a variant of
the following from an cywin-xfree xterm:
$> xhost +
$> ssh login_name@remotehost_ip
enter password
$> export DISPLAY=localhost_ip:0.0
$> xterm & # or some other x program
and I receive the error: Can't open display: localhost_ip:0.0
Furthermore, I am evaluating copies of StarNet X-Win32 and F-Secure SSH
and with these products I can run X-clients through the remote firewall
without any problems, because F-Secure SSH has an option, which I enabled,
that allows X11 tunneling.
Can anyone tell me how to implement X11 tunneling using the ssh version
distributed with cygwin?
In case anyone is wondering why I'm trying to run X through a firewall -
we are on a DSL network with DHCP and without a firewall separating our
LAN from the ISP. I am using iptables on the Linux box with the following
modified entries tied to MAC addresses for our Window$98 machines. In
short, the following ports are open only for the machines with the correct
MAC address:
ssh 22
samba 137:139
xdmcp 177
x11 6000:6063
-A INPUT -s subnet/mask -p tcp -m mac --mac mac_address -m tcp
--dport 137:139 -j ACCEPT
-A INPUT -s subnet/mask -p udp -m mac --mac mac_address -m udp
--dport 137:139 -j ACCEPT
-A INPUT -s subnet/mask -p tcp -m mac --mac mac_address -m tcp
--dport 22 -j ACCEPT
-A INPUT -s subnet/mask -p tcp -m mac --mac mac_address -m tcp
--dport 177 -j ACCEPT
-A INPUT -s subnet/mask -p tcp -m mac --mac mac_address -m tcp
--dport 6000:6063 -j ACCEPT
So, of course I know that the best thing to do in the long run is to put a
firewall in between our LAN and the DSL modem, but my boss is too cheap to
buy a hardware firewall and I haven't had the time to setup a cheap
diskless firewall or figure out how to best implement NAT. Hence the need
to run iptables with support for MAC matching instead of IP address
matching.
Fred