LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-22-2011, 01:38 AM   #1
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,027

Rep: Reputation: 69
X11 forwarding behind a NAT environment...


I'm wondering if this is possible.

Say I have Computer A behind a router with NAT. I'm unable to add any port forwarding rules to that router.

Then I have Computer B with a public IP address that I want to forward X windows from. This computer is headless, but does have a video card so X windows can be used.

Here are some of the things I'd perform to setup my scenario.

1. Computer B, I'd run xhost + public_ip of NAT router.
2. Make sure that computer B's sshd service has X11 forwarding enabled.
3. SSH from Computer A to Computer B with the X windows forward option.
4. Once in Computer B, set the DISPLAY env variable to the public_ip of NAT router.
5. On Computer B run xclock.

At this point I'd expect to see an instance of xclock originating from Computer B onto my desktop. However this obviously won't work. The problem is that when the request is made to Computer B to forward the instance of xclock to Computer A the forwarded instance of xclock will get stuck at the NAT router. Without a port forwarding rule the NAT router will not know which internal IP to route the instance of xclock.

Here's my question. Is there any way for Computer A to initiate a connection to Computer B and then forward the instance of xclock? That way if it uses that same connection the NAT router will know which internal IP to route it to because it would be an active connection in the router's routing table.

Or is there an alternative? Of course I can vnc into another computer outside the NAT network and then forward an X window to it just fine. But in the spirit of expanding my knowledge on X windows I'd like to see what is possible.
 
Old 02-22-2011, 02:25 AM   #2
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,396
Blog Entries: 2

Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
Your description of the problem sounds confusing, and I sense that you are over-thinking the situation. Where is the X server to run (A or B), and where is the X client (A or B)? X traffic can be tunneled directly through an SSH connection. The tunnel is normally constructed by the SSH client.
--- rod.

Last edited by theNbomr; 02-22-2011 at 11:13 AM.
 
Old 02-22-2011, 07:10 AM   #3
allend
Senior Member
 
Registered: Oct 2003
Location: Melbourne
Distribution: Slackware-current
Posts: 4,430

Rep: Reputation: 1349Reputation: 1349Reputation: 1349Reputation: 1349Reputation: 1349Reputation: 1349Reputation: 1349Reputation: 1349Reputation: 1349Reputation: 1349
Quote:
Is there any way for Computer A to initiate a connection to Computer B and then forward the instance of xclock?
Yes.

You are on the right track.
1. Make sure that Computer B's sshd service has X11 forwarding enabled.
Comment - I prefer to have in sshd_config
Code:
Match User <username>
        X11Forwarding yes
Match
2. SSH from Computer A to Computer B.
Comment - The X windows forward option should not be necessary.
3. Once in Computer B run xclock.
4. At this point you should see an instance of xclock originating from Computer B on Computer A if X is running on Computer A.
 
Old 02-22-2011, 09:04 AM   #4
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,027

Original Poster
Rep: Reputation: 69
Computer B is running the xserver. Computer A is running the xclient.

So by enabling X11 forwarding in sshd I do not have to do ssh -Y host? And by using ssh -Y host instead of ssh -X host I do not have to worry about adding Computer A to the access control list of Computer B by running xhost + public_ip of NAT router? I also like that Match option in the sshd, thanks. When I log into Computer B the DISPLAY environmental variable is set to localhost:12. Don't I have to edit the DISPLAY environmental variable to the public_ip of the NAT router that Computer A is behind?

Last edited by trist007; 02-22-2011 at 09:09 AM.
 
Old 02-22-2011, 11:11 AM   #5
theNbomr
LQ 5k Club
 
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,396
Blog Entries: 2

Rep: Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908Reputation: 908
See, I told you that you were over-thinking this. Let me explain a bit about the underlying mechanism to help you understand.

When the ssh client makes a connection to the host where you want to run the X client, it creates a tunnel for X traffic. It does so by telling the ssh server to set $DISPLAY to localhost:xx, and to then set up a process to listen on that IP port. When X client applications run, they obey the setting of $DISPLAY, and try to connect to the server identified by $DISPLAY. Since the ssh server is listening to that IP + port, it receives all of the requests, and sends the traffic back through the ssh connection, where the $DISPLAY variable at the ssh client host is used to find the X server. The ssh client is able to make a connection to the X server, and simply shuttles everything between the X server and the X client. This all happens invisibly (except for the need to use the -X switch, or set it automatically in .ssh/config, as allend has already pointed out). Since both the X client and X server see all traffic as originating at their localhost, most security implications are sidestepped.

In practice, you should need to simply run
Code:
ssh -X the.xclient.host
Then, from the ssh connection, any X client application will see its X server as localhost:xx Nothing more that that. Simple. Done all the time.

--- rod.

Last edited by theNbomr; 02-22-2011 at 11:14 AM.
 
Old 02-22-2011, 02:48 PM   #6
trist007
Senior Member
 
Registered: May 2008
Distribution: Slackware
Posts: 1,027

Original Poster
Rep: Reputation: 69
Fantastic thank you for clearing that up.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
X11 forwarding BigNate Linux - Software 16 06-21-2011 02:39 AM
X11 forwarding + NAT technopasta Linux - Networking 9 05-28-2007 07:49 AM
NAT forwarding kermitthefrog91 Linux - Networking 4 08-04-2005 04:26 AM
X11 forwarding JanDeMan Mandriva 1 04-17-2004 10:02 PM
Need Help with X11 forwarding phatboyz Linux - General 3 04-16-2004 04:17 PM


All times are GMT -5. The time now is 12:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration