I’m working in an environment with three hosts—H1, H2, and H3—and I have a Docker container (C1) residing on host H1. My goal is to launch a GUI application in the remote container C1 from my local host H3.

C1 is configured with the macvlan network type and possesses an IP address accessible from H1. Essentially, the container can be treated as a distinct physical device on the network, complete with its dedicated MAC address. As with any standard host, a container using the Macvlan network type has its own network namespace.

In standard X11 forwarding, when executing an X program in the remote Bash session of the container C1, it should connect to the X server proxy at localhost:6010 (DISPLAY=“localhost:10.0”). The SSH server is expected to proxy it to the SSH client in H3. I managed to achieve this only after altering X11UseLocalhost to “no” in the sshd_config of the container. Consequently, when executing ssh -X from H3, the DISPLAY value becomes :10.0.

However, I came across a response external traffic can reach the X11 socketthat changing X11UseLocalhost to “no” may introduce security concerns. I’m uncertain about the best approach to make GUI applications on C1 open from H3 without compromising security.

Any suggestions on how to address this issue would be greatly appreciated. Thank you!