319 lines
6.6 KiB
HTML
319 lines
6.6 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Gamers: The LooseUDP patch</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux IP Masquerade HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Other IP Masquerade Issues and Software Support "
|
|
HREF="ipmasq-support-portfw-and-stronger-rulesets.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Mirabilis ICQ "
|
|
HREF="icq.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Frequently Asked Questions"
|
|
HREF="faq.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Linux IP Masquerade HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="icq.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 6. Other IP Masquerade Issues and Software Support</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="faq.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="LOOSEUDP"
|
|
></A
|
|
>6.10. Gamers: The LooseUDP patch</H1
|
|
><P
|
|
>The LooseUDP patch allows semi-NAT-friendly games that usually use UDP
|
|
connections to both WORK behind a Linux IP Masquerade server. </P
|
|
><P
|
|
>What the LooseUDP patch does is allow ALL UDP packets to be NATed
|
|
through the MASQ box without any checks or expiration. This liberal
|
|
forwarding method is considered insecure by many and is disabled in modern
|
|
2.2.x kernels. The 2.4.x kernels with it's IPTABLES stateful UDP inspection
|
|
only allows incoming UDP packets into the machine (and thus MASQ) if there was
|
|
already an outbound UDP packet to that same host in it's stateful table. If
|
|
the MASQ host hasn't sent a UDP packet to the remote host within ~30 seconds,
|
|
the return UDP table entry is deleted. Because of this, IPTABLES removes most
|
|
of the need for the LooseUDP patch as it does it in a more secure fashion.</P
|
|
><P
|
|
>Currently, LooseUDP is available as a patch for 2.0.36+ kernels and it is
|
|
already built into 2.2.3+ kernels though it is now DISABLED by DEFAULT in
|
|
2.2.16+ (please see the example rc.firewal ruleset comments for details). </P
|
|
><P
|
|
>To get LooseUDP running on a 2.0.x kernel, follow the following steps:
|
|
|
|
<P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
>Have the newest 2.0.x kernel sources uncompressed in the /usr/src/linux directory</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>ABSOLUTELY REQUIRED for v2.0.x: Download and install the IPPORTFW patch from
|
|
<A
|
|
HREF="ipmasq-compiling3.1.html#IPMASQ-COMPILING3.1.3"
|
|
>Section 3.2.3</A
|
|
>and as described in
|
|
<A
|
|
HREF="forwarders.html"
|
|
>Section 6.7</A
|
|
>of the HOWTO.</P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>Download the LooseUDP patch from <A
|
|
HREF="ipmasq-compiling3.1.html#IPMASQ-COMPILING3.1.3"
|
|
>Section 3.2.3</A
|
|
> </P
|
|
><P
|
|
>Now, put the LooseUDP patch in the /usr/src/linux directory. Once this is
|
|
done, type in:</P
|
|
><P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="90%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>For a compressed patch file: zcat loose-udp-2.0.36.patch.gz | patch -p1</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="90%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>For a NON-compressed patch file: cat loose-udp-2.0.36.patch | patch -p1</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
>Now, depending on the version of your "patch", You will then see the following text:</P
|
|
><P
|
|
><TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="90%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
>patching file `CREDITS'
|
|
patching file `Documentation/Configure.help'
|
|
patching file `include/net/ip_masq.h'
|
|
patching file `net/ipv4/Config.in'
|
|
patching file `net/ipv4/ip_masq.c'</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
></LI
|
|
><LI
|
|
><P
|
|
>If you see the text "Hunk FAILED" only ONCE and ONLY ONCE at the very
|
|
beginning of the patching, don't be alarmed. You probably have an old patch
|
|
file (this has been fixed) but it still works. If it fails completely, make
|
|
sure you have applied the IPPORTFW kernel patch FIRST.</P
|
|
><P
|
|
>Once the patch is installed, re-configure the kernel as shown in
|
|
<A
|
|
HREF="ipmasq-compiling3.1.html#IPMASQ-COMPILING3.1.3"
|
|
>Section 3.2.3</A
|
|
> and be sure to say "Y" to the
|
|
"IP: loose UDP port managing (EXPERIMENTAL) (CONFIG_IP_MASQ_LOOSE_UDP) [Y/n/?]"
|
|
option.</P
|
|
></LI
|
|
></UL
|
|
> </P
|
|
><P
|
|
>To get LooseUDP running on a 2.2.x kernel, follow the following steps:
|
|
|
|
<P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
>In the /etc/rc.d/rc.firewall-* script, goto the BOTTOM of the file and find the
|
|
LooseUDP section. Change the "0" in the line:
|
|
<TT
|
|
CLASS="LITERAL"
|
|
>echo "0" > /proc/sys/net/ipv4/ip_masq_udp_dloose</TT
|
|
>
|
|
to a "1" and re-run the rc.firewall-* ruleset. An example of this is given in
|
|
both <A
|
|
HREF="firewall-examples.html#RC.FIREWALL-IPCHAINS"
|
|
>Section 3.4.2</A
|
|
> example and
|
|
<A
|
|
HREF="stronger-firewall-examples.html#RC.FIREWALL-IPFWADM-STRONGER"
|
|
>Section 6.4.3</A
|
|
> example.</P
|
|
></LI
|
|
></UL
|
|
> </P
|
|
><P
|
|
>NOTE: The LooseUDP code is /not/ available (?required?) for the 2.4.x kernels
|
|
<P
|
|
></P
|
|
><UL
|
|
><LI
|
|
><P
|
|
> See the begining of this section for all the details.
|
|
|
|
Basically, the old 2.0.x / 2.2.x LooseUDP code was considered a security
|
|
issue. Because of this, it was removed from the kernel. Fortunately, some
|
|
games that used to require the LooseUDP code on the 2.2.x IPCHAINS system
|
|
might work just final under the 2.4.x IPTABLES kernels. If the games don't
|
|
work, I'm not aware of a solution for you. Sorry.
|
|
</P
|
|
></LI
|
|
></UL
|
|
></P
|
|
><P
|
|
>Once you are running the new LooseUDP enabled kernel, you should be good to go
|
|
for most NAT-friendly games. Some URLs have been given for patches to make
|
|
games like BattleZone and others NAT friendly. Please see
|
|
<A
|
|
HREF="supported-client-software.html#GAME-CLIENTS"
|
|
>Section 6.3.1</A
|
|
> for more details.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="icq.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="faq.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Mirabilis ICQ</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="ipmasq-support-portfw-and-stronger-rulesets.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Frequently Asked Questions</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |