6.10. Gamers: The LooseUDP patch

The LooseUDP patch allows semi-NAT-friendly games that usually use UDP connections to both WORK behind a Linux IP Masquerade server.

What the LooseUDP patch does is allow ALL UDP packets to be NATed through the MASQ box without any checks or expiration. This liberal forwarding method is considered insecure by many and is disabled in modern 2.2.x kernels. The 2.4.x kernels with it's IPTABLES stateful UDP inspection only allows incoming UDP packets into the machine (and thus MASQ) if there was already an outbound UDP packet to that same host in it's stateful table. If the MASQ host hasn't sent a UDP packet to the remote host within ~30 seconds, the return UDP table entry is deleted. Because of this, IPTABLES removes most of the need for the LooseUDP patch as it does it in a more secure fashion.

Currently, LooseUDP is available as a patch for 2.0.36+ kernels and it is already built into 2.2.3+ kernels though it is now DISABLED by DEFAULT in 2.2.16+ (please see the example rc.firewal ruleset comments for details).

To get LooseUDP running on a 2.0.x kernel, follow the following steps:

  • Have the newest 2.0.x kernel sources uncompressed in the /usr/src/linux directory

  • ABSOLUTELY REQUIRED for v2.0.x: Download and install the IPPORTFW patch from Section 3.2.3and as described in Section 6.7of the HOWTO.

  • Download the LooseUDP patch from Section 3.2.3

    Now, put the LooseUDP patch in the /usr/src/linux directory. Once this is done, type in:

    For a compressed patch file:  zcat loose-udp-2.0.36.patch.gz | patch -p1

    For a NON-compressed patch file:  cat loose-udp-2.0.36.patch | patch -p1

    Now, depending on the version of your "patch", You will then see the following text:

    patching file `CREDITS'
    patching file `Documentation/Configure.help'
    patching file `include/net/ip_masq.h'
    patching file `net/ipv4/Config.in'
    patching file `net/ipv4/ip_masq.c'

  • If you see the text "Hunk FAILED" only ONCE and ONLY ONCE at the very beginning of the patching, don't be alarmed. You probably have an old patch file (this has been fixed) but it still works. If it fails completely, make sure you have applied the IPPORTFW kernel patch FIRST.

    Once the patch is installed, re-configure the kernel as shown in Section 3.2.3 and be sure to say "Y" to the "IP: loose UDP port managing (EXPERIMENTAL) (CONFIG_IP_MASQ_LOOSE_UDP) [Y/n/?]" option.

To get LooseUDP running on a 2.2.x kernel, follow the following steps:

  • In the /etc/rc.d/rc.firewall-* script, goto the BOTTOM of the file and find the LooseUDP section. Change the "0" in the line: echo "0" > /proc/sys/net/ipv4/ip_masq_udp_dloose to a "1" and re-run the rc.firewall-* ruleset. An example of this is given in both Section 3.4.2 example and Section 6.4.3 example.

NOTE: The LooseUDP code is /not/ available (?required?) for the 2.4.x kernels

  • See the begining of this section for all the details. Basically, the old 2.0.x / 2.2.x LooseUDP code was considered a security issue. Because of this, it was removed from the kernel. Fortunately, some games that used to require the LooseUDP code on the 2.2.x IPCHAINS system might work just final under the 2.4.x IPTABLES kernels. If the games don't work, I'm not aware of a solution for you. Sorry.

Once you are running the new LooseUDP enabled kernel, you should be good to go for most NAT-friendly games. Some URLs have been given for patches to make games like BattleZone and others NAT friendly. Please see Section 6.3.1 for more details.

Copyright © 2010-2024 Platon Technologies, s.r.o.           Home | Man pages | tLDP | Documents | Utilities | About
Design by styleshout