Tunneling X Connection Through Intermediate Linux / BSD Gateway

I've ssh gateway behind my NAT firewall. So all users must first login to my gateway host from the internet and then login to other machines on the LAN. This works great for cli based apps. However, few users would like to run x apps from internal LAN hosts and tunnel X display through intermediate ssh gateway and display back output on their local system. For example, from localsystem user makes connection as follows:

ssh -X user@gateway.example.com
ssh -X user@somelan.example.com

X forwarding fails with an error:

Error: Can't open display:

How do I fix this problem and allow users to use X apps with my intermediate Linux / BSD gateway?

You need to use ProxyCommand in your $HOME/.ssh/config for the external host connecting via the Internet. It specifies the command to use to connect to the server. The command string extends to the end of the line, and is executed with the user's shell. In the command string, %h will be substituted by the host name to connect and %p by the port. The command can be basically anything, and should read from its standard input and write to its standard output. It should eventually connect an sshd server running on some machine, or execute sshd -i somewhere. Host key management will be done using the HostName of the host being connected (defaulting to the name typed by the user). Setting the command to none disables this option entirely.
You need to use this directive in conjunction with nc and its proxy support. For example, the following directive would connect via an HTTP proxy at 192.1.0.222 at port 3128:

ProxyCommand /usr/bin/nc -X connect -x 192.1.0.222:3128 %h %p

Open $HOME/.ssh/config:
$ vi $HOME/.ssh/config
Modify / add configuration as follows:

Host internal
        Hostname somelan.example.com
        HostKeyAlias proxy
        User vivek
        # ProxyCommand ssh gw.nixcraft.in nc %h %p 2> /dev/null
        ProxyCommand ssh gateway.example.com "/usr/bin/nc internal 22"

Save and close the file.
Where,

• Host internal - Restricts the following declarations (up to the next Host keyword) to be only for those hosts that match one of the patterns given after the keyword.
• ProxyCommand - Used nc command to Proxy your SSH session to internal system through gateway.
• User - Specifies the user to log in as. In our example login as vivek.
• HostKeyAlias - Specifies an alias that should be used instead of the real host name when looking up or saving the host key in the host key database files. This line can be commented out.

Now, user can login and run X apps:
$ ssh -X user@gateway.example.com
$ ssh -X user@somelan.example.com
$ xeyes &
See ssh_config man page for further details.