Routing X through a firewall - X

This is a discussion on Routing X through a firewall - X ; Folks, what do I need to route the X-protocol through a firewall? I set up a Linux box which I use to separate the home network from the company's. Only some selected IPs are allowed to pass. Telnet, ssh, ftp ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: Routing X through a firewall

  1. Routing X through a firewall

    Folks,

    what do I need to route the X-protocol through a firewall? I set up a Linux
    box which I use to separate the home network from the company's. Only some
    selected IPs are allowed to pass. Telnet, ssh, ftp http works but when I try
    to redirect X-output to my local machine the server says it can't connect.

    So, what do I have to tweak the router to let X pass through?


    CU!

    Michael



  2. Re: Routing X through a firewall

    Michael Scholz wrote:
    > Folks,
    >
    > what do I need to route the X-protocol through a firewall? I set up a Linux
    > box which I use to separate the home network from the company's. Only some
    > selected IPs are allowed to pass. Telnet, ssh, ftp http works but when I try
    > to redirect X-output to my local machine the server says it can't connect.
    >
    > So, what do I have to tweak the router to let X pass through?


    1. The server (sshd) should have the X11Forward option turned on
    2. The cleint machine should have the ForwardX11 option turned on

    if this is done, the X will be forwared, as long as there haven't been a su
    done on the remote machine, this would requier that you allow connection from
    the remote machine with xhost (unsecure way would be: xhost +) and then when
    starting the application in question, give
    DISPLAY=your_ip:0.0

    If step 1 and 2 aren't done, then try with the -X option when using your ssh
    client: ssh -X -l username company.ip



    //Aho

  3. Re: Routing X through a firewall

    Doesn't work. BTW, my local machine is called 192.168.0.1 - I think I've
    read that those IPs (class C) aren't routed and packets are gonna be
    dropped. Could that be the issue or have I probably made a mistake
    elsewhere?


    CU!

    Michael

    ============================================

    "J.O. Aho" schrieb im Newsbeitrag
    news:2r3bqsF151l93U1@uni-berlin.de...
    > Michael Scholz wrote:
    > > Folks,
    > >
    > > what do I need to route the X-protocol through a firewall? I set up a

    Linux
    > > box which I use to separate the home network from the company's. Only

    some
    > > selected IPs are allowed to pass. Telnet, ssh, ftp http works but when I

    try
    > > to redirect X-output to my local machine the server says it can't

    connect.
    > >
    > > So, what do I have to tweak the router to let X pass through?

    >
    > 1. The server (sshd) should have the X11Forward option turned on
    > 2. The cleint machine should have the ForwardX11 option turned on
    >
    > if this is done, the X will be forwared, as long as there haven't been a

    su
    > done on the remote machine, this would requier that you allow connection

    from
    > the remote machine with xhost (unsecure way would be: xhost +) and then

    when
    > starting the application in question, give
    > DISPLAY=your_ip:0.0
    >
    > If step 1 and 2 aren't done, then try with the -X option when using your

    ssh
    > client: ssh -X -l username company.ip
    >
    >
    >
    > //Aho




  4. Re: Routing X through a firewall

    On Sat, 18 Sep 2004 20:07:58 +0200, J.O. Aho wrote:
    > Michael Scholz wrote:
    >> Folks,
    >>
    >> what do I need to route the X-protocol through a firewall? I set up a Linux
    >> box which I use to separate the home network from the company's. Only some
    >> selected IPs are allowed to pass. Telnet, ssh, ftp http works but when I try
    >> to redirect X-output to my local machine the server says it can't connect.
    >>
    >> So, what do I have to tweak the router to let X pass through?

    >
    > 1. The server (sshd) should have the X11Forward option turned on
    > 2. The cleint machine should have the ForwardX11 option turned on
    >
    > if this is done, the X will be forwared, as long as there haven't been a su
    > done on the remote machine, this would requier that you allow connection from
    > the remote machine with xhost (unsecure way would be: xhost +) and then when
    > starting the application in question, give
    > DISPLAY=your_ip:0.0
    >
    > If step 1 and 2 aren't done, then try with the -X option when using your ssh
    > client: ssh -X -l username company.ip


    FWIW, I think your step 1. HAS to be done, else even "ssh -X" won't work.
    Well, you might be able to fake around with DISPLAY but still the sshd
    won't know to tunnel that X11 traffic back to the client.

    BTW, thanks! I had forgotten to (double) check the X11Forward setting in
    my /etc/ssh/ssh_config file and had been working with the -X option for
    some time. Now that both ends are setup right, the X traffic just works!

    --
    Juhan Leemet
    Logicognosis, Inc.


  5. Re: Routing X through a firewall

    Michael Scholz wrote:
    > Doesn't work. BTW, my local machine is called 192.168.0.1 - I think I've
    > read that those IPs (class C) aren't routed and packets are gonna be
    > dropped. Could that be the issue or have I probably made a mistake
    > elsewhere?


    You are most likely NATing and then you need to give the IP that your ADSL
    modem has got and not your internal network IP as it will be unrouteble for
    the remote machine (at least it won't be your machine).


    //Aho

  6. Re: Routing X through a firewall

    Juhan Leemet wrote:

    > FWIW, I think your step 1. HAS to be done, else even "ssh -X" won't work.


    Yes, you may be right about the -X option, I never used it myself, just tried
    to recall what other people has stated...


    //Aho

  7. Re: Routing X through a firewall

    Maybe this helps a little more:

    [Local Box: 192.168.0.1]--[Gateway: 192.168.0.254 /
    172.20.240.209]--[ISDN-Router:172.20.240.214]--[Workstation:172.20....]

    If I set my machine to 172.20.240.209 and >telnet workstation / xterm& it's
    gonna work. So the 'server' can't be the issue. Must be my gateway. Maybe I
    made a mistake setting up the kernel routes or loading modules @ the
    gateway. Anybody?


    CU!

    Michael

    ================================================== ===============

    "J.O. Aho" schrieb im Newsbeitrag
    news:2r3s9kF158r2mU1@uni-berlin.de...
    > Michael Scholz wrote:
    > > Doesn't work. BTW, my local machine is called 192.168.0.1 - I think I've
    > > read that those IPs (class C) aren't routed and packets are gonna be
    > > dropped. Could that be the issue or have I probably made a mistake
    > > elsewhere?

    >
    > You are most likely NATing and then you need to give the IP that your ADSL
    > modem has got and not your internal network IP as it will be unrouteble

    for
    > the remote machine (at least it won't be your machine).
    >
    >
    > //Aho




+ Reply to Thread