6.10. Gamers: The LooseUDP patch
The LooseUDP patch allows semi-NAT-friendly games that usually use UDP
connections to both WORK behind a Linux IP Masquerade server.
What the LooseUDP patch does is allow ALL UDP packets to be NATed
through the MASQ box without any checks or expiration. This liberal
forwarding method is considered insecure by many and is disabled in modern
2.2.x kernels. The 2.4.x kernels with it's IPTABLES stateful UDP inspection
only allows incoming UDP packets into the machine (and thus MASQ) if there was
already an outbound UDP packet to that same host in it's stateful table. If
the MASQ host hasn't sent a UDP packet to the remote host within ~30 seconds,
the return UDP table entry is deleted. Because of this, IPTABLES removes most
of the need for the LooseUDP patch as it does it in a more secure fashion.
Currently, LooseUDP is available as a patch for 2.0.36+ kernels and it is
already built into 2.2.3+ kernels though it is now DISABLED by DEFAULT in
2.2.16+ (please see the example rc.firewal ruleset comments for details).
To get LooseUDP running on a 2.0.x kernel, follow the following steps:
Have the newest 2.0.x kernel sources uncompressed in the /usr/src/linux directory
ABSOLUTELY REQUIRED for v2.0.x: Download and install the IPPORTFW patch from
Section 3.2.3and as described in
Section 6.7of the HOWTO.
Download the LooseUDP patch from Section 3.2.3
Now, put the LooseUDP patch in the /usr/src/linux directory. Once this is
done, type in:
For a compressed patch file: zcat loose-udp-2.0.36.patch.gz | patch -p1 |
For a NON-compressed patch file: cat loose-udp-2.0.36.patch | patch -p1 |
Now, depending on the version of your "patch", You will then see the following text:
patching file `CREDITS'
patching file `Documentation/Configure.help'
patching file `include/net/ip_masq.h'
patching file `net/ipv4/Config.in'
patching file `net/ipv4/ip_masq.c' |
If you see the text "Hunk FAILED" only ONCE and ONLY ONCE at the very
beginning of the patching, don't be alarmed. You probably have an old patch
file (this has been fixed) but it still works. If it fails completely, make
sure you have applied the IPPORTFW kernel patch FIRST.
Once the patch is installed, re-configure the kernel as shown in
Section 3.2.3 and be sure to say "Y" to the
"IP: loose UDP port managing (EXPERIMENTAL) (CONFIG_IP_MASQ_LOOSE_UDP) [Y/n/?]"
option.
To get LooseUDP running on a 2.2.x kernel, follow the following steps:
In the /etc/rc.d/rc.firewall-* script, goto the BOTTOM of the file and find the
LooseUDP section. Change the "0" in the line:
echo "0" > /proc/sys/net/ipv4/ip_masq_udp_dloose
to a "1" and re-run the rc.firewall-* ruleset. An example of this is given in
both Section 3.4.2 example and
Section 6.4.3 example.
NOTE: The LooseUDP code is /not/ available (?required?) for the 2.4.x kernels
See the begining of this section for all the details.
Basically, the old 2.0.x / 2.2.x LooseUDP code was considered a security
issue. Because of this, it was removed from the kernel. Fortunately, some
games that used to require the LooseUDP code on the 2.2.x IPCHAINS system
might work just final under the 2.4.x IPTABLES kernels. If the games don't
work, I'm not aware of a solution for you. Sorry.
Once you are running the new LooseUDP enabled kernel, you should be good to go
for most NAT-friendly games. Some URLs have been given for patches to make
games like BattleZone and others NAT friendly. Please see
Section 6.3.1 for more details.