Slashdot Mirror
Playing Games Behind IP Masquerade?
Accipiter asks: "I've configured an internal network to use a Linux box as a gateway using IP Masquerading, and it works beautifully -- except for some off-the-wall things. Recently, I installed Total Annihilation on a Windows box behind the firewall, and I found that it can't connect to other games on the boneyards server (Total Annihilation's Multiplayer setup). How does one configure networked games (specifically TA) on the INSIDE of a network to use servers out on the net?" Most of this is handled in the IP Masquerading HOWTO in particular section 7.22 and the section, appropriately titled, Game Clients. (Read More)
The main problem with Linux IP Masquerading is that, for a few games, you must forward specific ports to a single game machine. This is contrary to programs like Wingate, which implements Internet sharing for Windows for the whole internal network.
Is anyone working for some kind of redirection protocol for Linux that would remove this restriction and allow all masqueraded machines to play games without the need to redirect to a single machine?
You might also want to check out the Masq Apps page, which lists a cornucopia of games and how to get them working with IP Masquerading.
Try Hummingbird SOCKS for transparent access to servers outside a firewall. More info
I tried to read your post, but was shocked to find I don't know how to read. Somehow I only learned to write. Can you and the other slashdotters help me? Thank you.
Heh, the first step is, "Have the newest 2.0.x kernel sources..." Is it a little outdated?
;)
Many games work quite easily nowadays with no modifying of the IP Masq setup. I've played Halflife, Tribes, Soldier of Fortune, Unreal Tournament just fine. Some things though need redirecting (it seems game companies slowly are getting smarter about this). Myth 1 and 2 were this way, a little sniffing and "ipmasqadm autofw -A -c tcp 6321 -r tcp 3453 3453 -u". This tells the firewall when someone goes out on port TCP/6321 (Myth's user logon), remember their internal IP and redirect port 3453 to them. For these, you're just left at one user per firewall. The games expect to connect at only port 3453 or whatever. They need reprogramming.
There is a mail list talking about this, nat-peer-games. There isn't much traffic nowadays (21 for the year), but it was frequented by Activision folk in the early days. Somewhere around the archives there is detailed information on programming with UDP and how to properly write games that allow multiple people to use it on one NAT/IP Masq box.
There used to be a web site listing several prorgams and their needed ports for redirecting at http://www.tsmservices.com/masq/, but the web server is down now. It seems many new games (especially FPS) allow multiple people (I know Tribes does, it even allows copies of the same CD to be played on servers), but more frequently the servers do some CD key check. So you'll need to buy multiple copies of games.
I do a lot of work from home for Microsoft solution based company. This means Microsoft VPN (PPTP) and pcAnywhere are being used a lot.
I've been thinking of installing a Linux gateway on my home LAN. One of the reasons is that I can move my internet connection to the Linux box. I currently have to use PPPoE to connect to my DSL service provided. Unfortunately the PPPoE clients are buggying. They're so bad that I cannot even use my ISP's software as it hard-locks my SMP WinNT box when it tries to connect. It makes the other one blue screen occasionally. There are other reasons why I want a gateway too, including security for the machines on my LAN.
I can only contemplate a Linux gateway (running the PPPoE client) if I can still get my job done. Thus my questions are:
I presume that if I can get the VPN working, I won't have to worry about other Microsoft protocols being broken, such as browsing the Network Neighbourhood. Is there a decent Linux VPN client that I could use instead, and set up my routing table appropriately on the Linux box (work uses the public IP addressing scheme 198.*.*.* on their intranet)?
It would seem that what the WinGate proxy does is to simply redirect all UDP traffic to ALL hosts on the network -- at least the local subnet ... the shotgun approach basically. The theory being that the ones that don't care about the data won't be listening, and won't see it.
They normally don't.
Consequently, it may be possible to tell ipchains to MASQ UDP packets to the network broadcast address, meaning that all the machines on the subnet will get them.
As long as you don't do this for any important ports (DNS, et al), you should be OK. Although the security guru in me is still screaming bloody murder.
But anyway...
DNA just wants to be free...
If most of it is handled by the HOWTOs and Masq App, why bother posting ;)
the story?
First off, to all you people saying "Read the HOWTO", let's make one thing clear. That was the first thing I did. As a matter of fact, I've read it *several* times over looking for the answer to my question. If it helped, I wouldn't need to ask. (The HOWTO is what got my Masq setup working in the first place. If I didn't read it, I wouldn't be using it.)
Secondly, I have tried the port forewarder as well as the rulesets. None work. From extensive browsing of the boneyards site, I've found that Total Annihilation's Boneyards must allow ports 47624, and 2300-2400 for both TCP and UDP, as well as 9110 and 9113 for TCP. (P.S.: The instructions on the Masq Apps Page pertaining to Total Annihilation do NOT work with Boneyards. I've tried.)
So after firing e-mail back and forth from Cavedog, and extensive trial and error, I have still not been able to do this. So I ask Slashdot. Then I get a bunch of people telling me to "Read the Manual.' Sorry folks, if it was that easy it wouldn't be an issue.
-- Give him Head? Be a Beacon?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
I'm a huge fan of Total Annihilation actually and would love to play it online more often. But I had the same problem--it didn't work through masquerading.
The entire reason the majority of Win32 based games is they depend on DirectPlay. To put it bluntly, DirectPlay is probably the most badly designed protocol I've ever seen.
It has no concept of firewalls, it opens up random port numbers and does double connections between hosts. Its just evil badness.
I've searched and disassembled and tried to figure out how it works so I could write an ip_masq_directplay module for the kernel, but I couldn't find any decent specifications.
If DirectPlay supported something like SOCKS, this wouldn't be an issue.
I eventually gave up on playing directly, but there are other solutions to play the game online:
1. MPlayer is a free service and they use a front end to the game. You can play matches with TA on MPlayer. They overload the protocol that TA uses and work fine through Masquerading.
2. Kali works prefectly with Masquerading. For TA, Kali emulates itself as a IPX driver that DirectPlay runs over (I believe). Kali works with just about everything. It was also nice to see Kali fire up and immediately tell me I was using NAT and figured out its translated address automatically.
I gave up trying to play TA on Boneyards. I emailed one of the guys at Cavedog (Rick Lambright) and talked specifically about NAT issues. We talked about TA and its dependancy on DirectPlay and that its pretty much screwed in getting it fixed. Kingdoms suffered the same fate.
Cavedog has been disbanded (or extremely downsized) so I'm not sure what the status would be now if anything can be down.
The best solution is to convince someone at the assimilation headquarters at Microsoft to add NAT support (or something like SOCKS) to DirectPlay. If that was added, it could retroactively make ALL DirectPlay games work.
/// Zoid.
MSDN has all you need to know about DirectPlay and firewalls here. Even when using all of these "features" you still can't host more than one game behind a NAT without doing port forwarding and having the players pick their own non conflicting ports.
The actual fix is to get off your duff and write a helper module for your game.
The one-machine limitation for many games is there because the game essentially runs as a daemon, and needs other computers to be able to connect to it.
If you have a good enough understanding of the protocol, it should be possible to write a masq module that will appropriately mangle the outgoing packets and appropriately route the incoming packets.
ipmasq module work has pretty much dropped off at this point as most authors are concentrating on the netfilters implementation in 2.4.
The real problem, of course, is having a deep understanding of the protocol. This isn't hard to come by if you don't mind signing an NDA, but signing that NDA will pretty much keep it out of the linux kernel source.
Maybe game makers can be encouraged to release protocol specs? Or better yet, maybe they can be encouraged to make their protocols RFC1918 compliant.
This is just like television, only you can see much further.
Uh..dude? A PII 266 would be OVERKILL for a box that is only a gateway and firewall. If you need to use a PII run Samba and d.net on it or something, otherwise you're really wasting your hardware. Some friends of mine have had trouble playing Tribes at the same time behind a firewall but I think the main problem lies in configuring ipmasq.
I'm a loner Dottie, a Rebel.
I've found I can play worms on _other_ servers masq'ed, but I can't host a server (which would be expected). Is there any way around this?
Just getting PPTP working could be a problem, depending on how the NT server is configured.
When they first setup the VPN server where I work, I was able to use the (poorly documented) program pptp-linux to connect after only about 45 minutes of messing around.
Then everything changed. They started using MSCHAPv2 and MPPE and I was essentially locked out. I downloaded and compiled new versions of pppd (with patches). Now both those protocols are supported, BUT:
1) The 40-bit machine lets me log in and assigns me an address but I can't get to the network. It acts just like a routing problem, but the routes seems to be setup correctly. In any case, I can't even ping (traceroute) the gateway I connected to.
2) The 128-bit machine won't even negotiate the encryption correctly. So I get logged in (via CHAP), but then can't get further than that.
So, what I'm saying is: Figure out what the server end is doing FIRST, then figure out what you client will have to do. Then decide if that's worth it.
As for MASQ: No problem. I just VPN from the server and the client machine (Linux in my test, but I see no reason it should be different for anything else) was able to get right out that connection.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
I have, but unfortunately British Telecom changed my ADSL setup so that I can no longer use (& don't need to use) a Linux box as a gateway to an internet network. So yes, it is possible, but no I can't tell you how! You can play on zone.com from behind a firewall with IP masquerading, but I found the Zone itself to be crap and the ('great' Microsoft) software continually crashed my PC. I even managed to set up a MS Wombat Fright Stimulator server behind the firewall. There's some info somewhere on the web about which ports you need to open up, but you'll have to find it yourself! Sorry.
HH (half-pissed - that's british for drunk not angry)
Yellow tigers crouched in jungles in her dark eyes.
Yellow tigers crouched in jungles in her dark eyes.
She's just dressing, goodbye windows, tired starlings.
... the single-box limitation.
:)
I've seen a few people pointing toward the howto, and saying that it's the definitive answer. Only, the big problem is that Linux's IP masquerading only forwards ports to one specified machine. It's hardcoded in the setup file that you create.
A good workaround that I've yet to actually try would be to write a shell script on the gateway machine that changes where it's forwarding the ports to, so that more than one machine could take advantage of the feature.
This does not, however, take care of another problem - while it could be made relatively easy to change which machine on the internal net gets the ports forwarded to it, the port forwarding still only works for one machine at a time.
If there are ways around this, I'd love to know. Me and my roomates have been itching to try this cable modem out on Battle.net for quite some time now.
-Denor
What a mess. Every host needs a unique, routed IP address. This hokey "masquerading" stuff has got to go. Time to make the transition to IPv6.
It will tell you how to just re direct requests to whatever machine and all.. Its not even hard :)
Masq Applications (which doesn't appear to be up at the moment) has an index of all known workarounds and fixes to using software and games behind an ipmasq box. I've had a tough time getting everything working right until I checked it out, so it's definately worth a visit.
Take a look at ipmasqadm, and compile in the additional stuff in your kernel. You'll probably find what your looking for, as it dynamically adds different rules for each ip requesting a certain port, therefore you don't have to assign static ips in the rules as before..
From the man page: (man ipmasqadm)
DESCRIPTION
Ipmasqadm is used to configure extra masquerading funcionality, usually provided by additional kernel modules.
All in-firewall forwarding takes place by reverse-masquerading so you must create firewall rules that must match desired forwarding as-is the connection had been outgoing (instead of incoming).
--
Check out the modules portfw, autofw, mfw etc..