Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Games Entertainment

Playing Games Behind IP Masquerade? 88

Accipiter asks: "I've configured an internal network to use a Linux box as a gateway using IP Masquerading, and it works beautifully -- except for some off-the-wall things. Recently, I installed Total Annihilation on a Windows box behind the firewall, and I found that it can't connect to other games on the boneyards server (Total Annihilation's Multiplayer setup). How does one configure networked games (specifically TA) on the INSIDE of a network to use servers out on the net?" Most of this is handled in the IP Masquerading HOWTO in particular section 7.22 and the section, appropriately titled, Game Clients. (Read More)

The main problem with Linux IP Masquerading is that, for a few games, you must forward specific ports to a single game machine. This is contrary to programs like Wingate, which implements Internet sharing for Windows for the whole internal network.

Is anyone working for some kind of redirection protocol for Linux that would remove this restriction and allow all masqueraded machines to play games without the need to redirect to a single machine?

You might also want to check out the Masq Apps page, which lists a cornucopia of games and how to get them working with IP Masquerading.

This discussion has been archived. No new comments can be posted.

Playing Games Behind IP Masquerade?

Comments Filter:
  • by Anonymous Coward
    This won't ever be fixed in TA.

    TA used Direct Play, because Networking had to be slapped into the game in the last month before release. The head Network Programmer (a really smart guy) got it just working, but the networking team expanded to create the Boneyards system instead of making a direct workable single port UDP Internet system that didn't require the multi-port hassle of Direct Play to configure a 1 on 1 game.

    Cavedog has since been disbanded, and Humongous (the parent company) has been wholy absorbed into GT Interactive/Infogrammes, and tasked to a more family oriented, non-network based gaming market. I doubt if these issues will ever be resolved, unless someone enterprising hacks it, or one of the employees (in the massive watershed that is about to occur) takes/releases the source and modifies it themselves.

    Im sure if you're smart, you can figure out why I'm posting under an Anonymous Coward nick, but if I spell it out explicitly, certain annoying marketing guys will be able to figure it out too, so I'll just leave it at that...

  • I'm using a 486/100 with 16MB RAM as my firewall/gateway. Uptime is 76 days now, and it's handling all of my games just fine. I've got the transparent NAT/gateway thing going - just set up your workstation gateways to point to that box.

    I haven't seen anything which has had any trouble.

    This is the first firewall I've set up using Linux, but it hasn't given me any trouble (and all my pings are *nice*). Mostly I just play the various Quake games, though, so I'm not too sure about other software. I haven't run into this "must connect only to a single server" issue. Why is that?
  • by Anonymous Coward
    To my knowledge, the main thing that Wingate does that linux cannot do with IP Masq, has to do with the Wingate client that is installed on each computer behind the Wingate server.

    It basically intercepts every tcp/ip call and redirects it to the wingate server, including calls that open up a listening socket. When a client machine opens up a listening socket it goes to the server and says "I want to listen on port ##, please redirect all of that to me" IP Masq has no way of knowing when a client machine is listening for packets.

    I am not sure how it handles the situation of 2 machines wanting to listen on the same port, my guess is that it just fails for the second computer.

    So either somebody could write a special client for windows machines like WinGate's, or just write a WinGate server emulator.
  • by Anonymous Coward
    Try Hummingbird SOCKS for transparent access to servers outside a firewall. More info [hummingbird.com]
  • by Anonymous Coward
    Dear broody,

    I tried to read your post, but was shocked to find I don't know how to read. Somehow I only learned to write. Can you and the other slashdotters help me? Thank you.

  • I've got two boxes here, but only one ethernet port. So I've got one box being used as a web server, etc, etc, that also masqing my desktop. I've gotten Quake3 to run, no problem, but I can't see "Local Games", I'm guessing this is because Quake3 tries to do some broadcast based on what it thinks your IP address is.

    Anyone know of any solution to this?

  • by whoop ( 194 )
    I have heard this too, and seen "Fix UDP Masq bugs" in kernel updates. I'm no kernel expert, but many UDP games work fine now (Halflife, UT, etc).

    I've seen a lot of people complain about Linux's Masquerading, and that BSD's NAT work is much better. Is there anyone else in the know that can compare them? Does 2.4's Netfilter make Linux better in this regard?

    I'd do it, but I'm waiting for the ext3 patch to be ported to 2.3. I can't give it up. :)

  • # for Dialpad.com
    ipmasqadm autofw -A -r tcp 51210 51210 -h 10.0.0.2
    ipmasqadm autofw -A -r udp 51200 51201 -h 10.0.0.2

    This is the simple, forward-it-to-one-box approach, but it works. You can pass the microphone around for multiple users. :)
  • by whoop ( 194 )
    Heh, the first step is, "Have the newest 2.0.x kernel sources..." Is it a little outdated?

    Many games work quite easily nowadays with no modifying of the IP Masq setup. I've played Halflife, Tribes, Soldier of Fortune, Unreal Tournament just fine. Some things though need redirecting (it seems game companies slowly are getting smarter about this). Myth 1 and 2 were this way, a little sniffing and "ipmasqadm autofw -A -c tcp 6321 -r tcp 3453 3453 -u". This tells the firewall when someone goes out on port TCP/6321 (Myth's user logon), remember their internal IP and redirect port 3453 to them. For these, you're just left at one user per firewall. The games expect to connect at only port 3453 or whatever. They need reprogramming.

    There is a mail list talking about this, nat-peer-games [onelist.com]. There isn't much traffic nowadays (21 for the year), but it was frequented by Activision folk in the early days. Somewhere around the archives there is detailed information on programming with UDP and how to properly write games that allow multiple people to use it on one NAT/IP Masq box.

    There used to be a web site listing several prorgams and their needed ports for redirecting at http://www.tsmservices.com/masq/ [tsmservices.com], but the web server is down now. It seems many new games (especially FPS) allow multiple people (I know Tribes does, it even allows copies of the same CD to be played on servers), but more frequently the servers do some CD key check. So you'll need to buy multiple copies of games. ;)

  • I don't recall the exact instructions, but look through the Dialpad FAQs.

    They give explicit instructions on the proper settings to get Dialpad to work with an IP Masq box. :)
  • I had a pentium 90 with 48 MB of RAM being my ipmasq box for a lan party once. It held up nicely. The only time I remember our ping times being a little unacceptable was when we connected to a server overseas. Didn't know it until we saw everybody talking funny. BTW I have a cable modem. It is great to play counterstrike with everyone on the same team in the same room.
  • This "Ask Slashdot" is about playing games behind an IP Masq. Apologies to those who think the following off-topic (it's not about games), but I think that they are very related (same issues really).

    I do a lot of work from home for Microsoft solution based company. This means Microsoft VPN (PPTP) and pcAnywhere are being used a lot.

    I've been thinking of installing a Linux gateway on my home LAN. One of the reasons is that I can move my internet connection to the Linux box. I currently have to use PPPoE to connect to my DSL service provided. Unfortunately the PPPoE clients are buggying. They're so bad that I cannot even use my ISP's software as it hard-locks my SMP WinNT box when it tries to connect. It makes the other one blue screen occasionally. There are other reasons why I want a gateway too, including security for the machines on my LAN.

    I can only contemplate a Linux gateway (running the PPPoE client) if I can still get my job done. Thus my questions are:
    • How easy is it to masquerade Microsoft VPN?
    • Are there any gotchas that we stop me?

      • If so, how do I check for them (e.g. Linux PPP to a Microsoft RAS has problems if the server only accepts encrypted passords)?

    • Will there be problems with pcAnywhere (I both host and control remote hosts simultaneously)?

    I presume that if I can get the VPN working, I won't have to worry about other Microsoft protocols being broken, such as browsing the Network Neighbourhood. Is there a decent Linux VPN client that I could use instead, and set up my routing table appropriately on the Linux box (work uses the public IP addressing scheme 198.*.*.* on their intranet)?

  • I have been playing Asheron's Call (a zone premium game) behind my Masq Box/DSL set up for months now. I have had no trouble at all and did not even have to config it anymore than it had been. The only problem that I have had is the fact that Asheron's Call has taken precedence over everything else that I do anymore....

    Damn games. :)

  • dude ... HW doesn't care about date/time. I know my 486SX25 ain't y2k compliant but that doesn't stop it from serving its purpose as a webserver and firewall and it even shows the correct date. The only thing you have to do is set the date back to pre-y2k in the BIOS and change it back when you've booted up Linux/*BSD. That's what I did and it chugs along nicely :)
  • Has anybody successfully played Everquest behind a Linux firewall? I haven't, I was just curious if anybody else had any luck before I bothered to give it a shot.
  • by peter ( 3389 )
    Except for getting more computers connected through your single-IP-or-you-pay-more cable modem. I hope NAT code doesn't become like DeCSS, with some companies thinking that the _only_ use for it is to break the law! Damn, I hope IPv6 gets here soon, though! Microsoft's slowness to support it will really hurt, because a lot of sites will be reluctant to have to run Win2k!
    #define X(x,y) x##y
  • Hmm, is it possible to set up a linux box between your windoze box connected to the wire and the rest of your network? Would that help? Hrmm.
    #define X(x,y) x##y
  • If they made a source-compatible wrapper, it would either have sucky performance (for wrapped games which didn't use the native API) or would constrain them to using the same design model as DirectX (which by some accounts is non-optimal). (I think this is the case, but I don't know the API, or what kind of adaptation might have to happen. I'd be surprised if there was anything like a 1 to 1 mapping between Khronos functions and DirectX functions, though.)
    #define X(x,y) x##y
  • It would seem that what the WinGate proxy does is to simply redirect all UDP traffic to ALL hosts on the network -- at least the local subnet ... the shotgun approach basically. The theory being that the ones that don't care about the data won't be listening, and won't see it.

    They normally don't.

    Consequently, it may be possible to tell ipchains to MASQ UDP packets to the network broadcast address, meaning that all the machines on the subnet will get them.

    As long as you don't do this for any important ports (DNS, et al), you should be OK. Although the security guru in me is still screaming bloody murder.

    But anyway...
  • by jra ( 5600 )
    Well, I hate to pop the Blizzard programmers' bubble, but there just ain't no way _to_ program UDP masquerading 'right'. Without intimate knowledge of the protocol in question, and possibly a helluva lot of remembered state on the firewall, you just can't tell which internal machine the packets are intended to go back to, if both internal machines are listening on the same port.

    Now, if the protocol is "Hey, I'm here, listening on port 'X'", and each session can negotiate a separate port, fine, but face it, in these one-user-per-machine days, most designers no longer consider the fact that an IP address may not map one-to-one with a user...
    Cheers,
    -- jra
    -----
  • The games that usually pose the largest problems are those that use Microsoft's DirectPlay. These games include Age of Empires II, Mechwarrior 3, and Rainbow Six. The reason why these won't work is they use a lot of odd ports during gameplay. If you search Deja.com, you may find a shell script which sets up ipchains for you to help you resolve these problems.
  • by Nemesys ( 6004 ) on Saturday April 15, 2000 @05:24AM (#1131010)
    If most of it is handled by the HOWTOs and Masq App, why bother posting
    the story? ;)
  • by Accipiter ( 8228 ) on Saturday April 15, 2000 @05:46PM (#1131011)
    I've seem to have discovered that many people have viewed my question as vague.

    First off, to all you people saying "Read the HOWTO", let's make one thing clear. That was the first thing I did. As a matter of fact, I've read it *several* times over looking for the answer to my question. If it helped, I wouldn't need to ask. (The HOWTO is what got my Masq setup working in the first place. If I didn't read it, I wouldn't be using it.)

    Secondly, I have tried the port forewarder as well as the rulesets. None work. From extensive browsing of the boneyards site, I've found that Total Annihilation's Boneyards must allow ports 47624, and 2300-2400 for both TCP and UDP, as well as 9110 and 9113 for TCP. (P.S.: The instructions on the Masq Apps Page [tsmservices.com] pertaining to Total Annihilation do NOT work with Boneyards. I've tried.)

    So after firing e-mail back and forth from Cavedog, and extensive trial and error, I have still not been able to do this. So I ask Slashdot. Then I get a bunch of people telling me to "Read the Manual.' Sorry folks, if it was that easy it wouldn't be an issue.

    -- Give him Head? Be a Beacon?

  • I was involved (peripherally) with the old (pre-web) netrek networking protocols. In order to get things to work well in the face of lag and packet loss, information was divided into critical and non-critical. Critical information was sent via TCP, non-critical (realtime positions of ships and torpedoes and shield states, etc) information was sent via a UDP port.

    Realize that this was a way to avoid implementing error recovery/windowing protocols on top of UDP directly - this greatly reduced the complexity versus a "use UDP for everything" design; doubly so since the game was written originally for TCP (and still works in TCP-only mode if need be, but if you drop a packet you get to wait - bad in a realtime game).

    Originally it was designed to use random ports to deal with conflicts with other programs. Obviously in these days of firewalls, etc this causes (caused) problems.

    I imagine modern games are either a) using the dual TCP/UDP port trick, b) using pure UDP with their own error recovery on top of it (expensive programming-wise, and liable to bugs), c) using pure TCP and living with serious lag if a packet is dropped, or d) using dual (or more) TCP connections, each for items of differing criticality.

    (PS. I ported netrek to the Amiga in '91(?), and fixed a number of portability and other errors. Last time I tried, it still worked excluding that most servers no longer list it's public key as a blessed client.)

  • by Zoid ( 8837 ) <zoidctf@gmail.com> on Saturday April 15, 2000 @05:48AM (#1131013) Homepage
    I'm a huge fan of Total Annihilation actually and would love to play it online more often. But I had the same problem--it didn't work through masquerading.

    The entire reason the majority of Win32 based games is they depend on DirectPlay. To put it bluntly, DirectPlay is probably the most badly designed protocol I've ever seen.

    It has no concept of firewalls, it opens up random port numbers and does double connections between hosts. Its just evil badness.

    I've searched and disassembled and tried to figure out how it works so I could write an ip_masq_directplay module for the kernel, but I couldn't find any decent specifications.

    If DirectPlay supported something like SOCKS, this wouldn't be an issue.

    I eventually gave up on playing directly, but there are other solutions to play the game online:

    1. MPlayer is a free service and they use a front end to the game. You can play matches with TA on MPlayer. They overload the protocol that TA uses and work fine through Masquerading.

    2. Kali works prefectly with Masquerading. For TA, Kali emulates itself as a IPX driver that DirectPlay runs over (I believe). Kali works with just about everything. It was also nice to see Kali fire up and immediately tell me I was using NAT and figured out its translated address automatically.

    I gave up trying to play TA on Boneyards. I emailed one of the guys at Cavedog (Rick Lambright) and talked specifically about NAT issues. We talked about TA and its dependancy on DirectPlay and that its pretty much screwed in getting it fixed. Kingdoms suffered the same fate.

    Cavedog has been disbanded (or extremely downsized) so I'm not sure what the status would be now if anything can be down.

    The best solution is to convince someone at the assimilation headquarters at Microsoft to add NAT support (or something like SOCKS) to DirectPlay. If that was added, it could retroactively make ALL DirectPlay games work.
  • MSDN has all you need to know about DirectPlay and firewalls here [microsoft.com]. Even when using all of these "features" you still can't host more than one game behind a NAT without doing port forwarding and having the players pick their own non conflicting ports.
  • by Syberghost ( 10557 ) <.syberghost. .at. .syberghost.com.> on Saturday April 15, 2000 @12:20PM (#1131015)
    Ok, but that still doesn't explain why people don't type their query into Google [google.com] or Altavista [altavista.com] or even DejaNews [deja.com] before spewing it as an Ask Slashdot.

    Or, for that matter, why the editors don't send the above sentence back to the submitter instead of posting the lame question.

    UTFSE; Use The Freakin' Search Engines.

  • by alhaz ( 11039 ) on Saturday April 15, 2000 @06:00AM (#1131016) Homepage
    The actual fix is to get off your duff and write a helper module for your game.

    The one-machine limitation for many games is there because the game essentially runs as a daemon, and needs other computers to be able to connect to it.

    If you have a good enough understanding of the protocol, it should be possible to write a masq module that will appropriately mangle the outgoing packets and appropriately route the incoming packets.

    ipmasq module work has pretty much dropped off at this point as most authors are concentrating on the netfilters implementation in 2.4.

    The real problem, of course, is having a deep understanding of the protocol. This isn't hard to come by if you don't mind signing an NDA, but signing that NDA will pretty much keep it out of the linux kernel source.

    Maybe game makers can be encouraged to release protocol specs? Or better yet, maybe they can be encouraged to make their protocols RFC1918 compliant.

  • Uh..dude? A PII 266 would be OVERKILL for a box that is only a gateway and firewall. If you need to use a PII run Samba and d.net on it or something, otherwise you're really wasting your hardware. Some friends of mine have had trouble playing Tribes at the same time behind a firewall but I think the main problem lies in configuring ipmasq.
  • Are you using a 2.0 kernel for the ip masq box? Back when I was in the Asheron's Call beta, I had problems connecting through ip masq. There _is_ a problem on 2.0 kernels for some UDP situations. You can use the Loose-UDP patch [netcom.com] to fix it or (what I did) upgrade to a 2.2 kernel. After that, things worked great.

    Also, running a SOCKS proxy is different than running IP masq. (it's a userspace tool for one) There are a few implementations for linux at freshmeat, but I've never used that stuff.
  • I don't know about WON, but battle.net is so badly overloaded now, that the lag is terrible for doing ANYTHING on the service.

    Uhm, battle.net is only a meeting place to find people to play (with|against). Once you've found opponents and start a game, battle.net doesn't do anything but record the game result at the end. The actual game is played between the clients. (This is Starcraft-experience, BTW).

  • I've found I can play worms on _other_ servers masq'ed, but I can't host a server (which would be expected). Is there any way around this?
  • Just getting PPTP working could be a problem, depending on how the NT server is configured.

    When they first setup the VPN server where I work, I was able to use the (poorly documented) program pptp-linux to connect after only about 45 minutes of messing around.

    Then everything changed. They started using MSCHAPv2 and MPPE and I was essentially locked out. I downloaded and compiled new versions of pppd (with patches). Now both those protocols are supported, BUT:

    1) The 40-bit machine lets me log in and assigns me an address but I can't get to the network. It acts just like a routing problem, but the routes seems to be setup correctly. In any case, I can't even ping (traceroute) the gateway I connected to.

    2) The 128-bit machine won't even negotiate the encryption correctly. So I get logged in (via CHAP), but then can't get further than that.

    So, what I'm saying is: Figure out what the server end is doing FIRST, then figure out what you client will have to do. Then decide if that's worth it.

    As for MASQ: No problem. I just VPN from the server and the client machine (Linux in my test, but I see no reason it should be different for anything else) was able to get right out that connection.
    --
  • by g0del ( 28935 ) on Saturday April 15, 2000 @05:46AM (#1131022)
    The problem is, the HOWTOs and the masq app don't explain how to get all games to work - and for many games, the only way to get them to work is to forward the ports to a single machine, making it impossible for others behind the NAT box to play the game.

    For instance, my wife and I could both play quake or quake3 at the same time on the net from behind my NAT box with no problems. But it is impossible for us both to play Diablo at the same time. It has to be one machine or the other, and I would have to change the port forwarding rules to do that.

    And as for saying the game coders should get it right, Blizzard programmers have said that they did, and Linux gets it wrong. I just looked for the link and couldn't find it, but they claimed the linux masq worked great for tcp games, but didn't handle udp masquerading properly. They then said that the only proxy that worked was WinGate. I don't know what WinGate does that other programs don't, but it would be nice to know so linux could get it.


    G0del
  • I am not either a 13 yr old or a script kiddie (as some comments would imply) and I can tell you that this is not a trivial task.


    I actualy play about 3 games UT and Q2/3 and have a few more I would like to play. I also have a seriaous side. eg: a Firewall with a 24/7 server with a webserver/database sitting behind it for research/work.


    Since some of the games are limited to a specific port range, I have to poke a hole in the firewall just to get the game to play. (a security risk) I have found some tools that will find the servers for me, but as of yet none that will create a Ipchains/etc. rulelist to poke the holes for me. (eg I found server a.b.c.d:z so create rule to handle) To complicate things some game master servers have this nasty habit of being encrypted or propritary so that only authorized clients can get this information. Furthermore; thats just for outgoing/clinet connections.

    I would also like to handle incoming connections to a future Q3/UT server of my own for my clan.

    I would also like to see ways to optimize this for performance. I have seen that connecting to a IRC chat with the FW in place is about 40x faster than without.

  • Everquest works fine, and even better, two machines running everquest works fine too, and with no more lag on a 56K modem than with a single client.
  • speaking of stuff not working behind masq, has anyone gotten napster to work? I have read dejanews posts & google posts and done what they suggest to no avail. unblocking ports 6699, 3333, 4444, etc, still don't let me download files. I can connect, search, chat, etc, but not download.

    can anyone help?
  • With all of you reading the posts and helping people with getting their programs running correctly behind a NAT, we should all take time to go to the Masq App page and update the programs we know work! Lets go get 'em guys. Here is the link for the Masq App page: http://www.tsmservices.com/masq/
  • Couldn't you try and use something like Sockscap from NEC? This takes all TCP/UDP calls I think and routes them through a SOCKS proxy.

    http://www.socks.nec.com/sockscap.html
  • Microsoft is taking a LOT of steps to address the NAT issue in DP8 -- all network traffic will go through a single port which is easily routable via NAT. That probably won't do any good for existing games, but at least they are addressing the issue.
  • From: http://www.tsmservices.com/masq/catlist.php3?Games This is the same configuration for both Diablo 1.0.7 and all versions of Starcraft and Starcraft: Broodwar. It doesn't of course refer to any box behind the firewall and is a very clean implementation of autofw: ipmasqadm autofw -A -r udp 6112 6112 -c tcp 6112

    Every rule has an exception, and this is the only rule with no exceptions! Huh? -- Spatch
  • Everquest works fine behind my Masq'ed machine.

    However, I have not tried playing it on two machines at once.
  • hmm, my roommate uses the Windows Napster client and he doesn't have any problems downloading. I used to have atrocious problems with gnapster in Linux, but all those issues were solved (along with uploading issues). Are you sure you're using the latest versions of all applicable software (kernel, ipchains, napster)?
  • Well, I don't have the problems you described, but there is a dedicated ICQ module at http://members.tripod.com/~djsf/masq-icq/ . While basic ICQ functionality works fine behind firewalls, this patch makes the rest work.
  • I could do something like this, but British Telecom have issued dire warnings against anyone changing the settings on their router (which is owned by BT, so they can get away with this). I suppose I could buy my own router, but ATM->Ethernet routers aren't that cheap.

    HH

    Yellow tigers crouched in jungles in her dark eyes.
  • I have, but unfortunately British Telecom changed my ADSL setup so that I can no longer use (& don't need to use) a Linux box as a gateway to an internet network. So yes, it is possible, but no I can't tell you how! You can play on zone.com from behind a firewall with IP masquerading, but I found the Zone itself to be crap and the ('great' Microsoft) software continually crashed my PC. I even managed to set up a MS Wombat Fright Stimulator server behind the firewall. There's some info somewhere on the web about which ports you need to open up, but you'll have to find it yourself! Sorry.

    HH (half-pissed - that's british for drunk not angry)

    Yellow tigers crouched in jungles in her dark eyes.
  • by hedgehog_uk ( 66749 ) on Saturday April 15, 2000 @05:58AM (#1131035) Homepage
    You obviously haven't tried to do it, have you?

    It's not that simple. There's some good information in the HOWTO's, man pages and on the web, but putting it together and getting it to work is another matter. There's no single document that explains how to do it and it's tricky stuff to get right. I wish I'd kept the scripts I wrote to do it when I got rid of the machine I was using as a firewall.

    HH

    Yellow tigers crouched in jungles in her dark eyes.
  • This is yet another piece of proof that Ask /. is picked at random. Or an even scarier thought /. is gonna try catering to 13 year old gamers & script kiddies.
    RTFM/RTFHT

  • It's really too bad, because DirectPlay usually ends up being much better than what vendors choose to put into games. Ever heard of battle.net? Or WON? It's because Blizzard and Sierra, respectively, refuse to support DirectPlay TCP/IP services and instead put in their own horky Internet gaming services. Now, I'm not totally going off on bnet and won: They have their place. For one, it's a nice online community where you can meet and play people who like the same game you do. But, I find it very frusterating when vendors choose not to include direct TCP/IP because it's much, much easier to do games with friends that way. I don't know about WON, but battle.net is so badly overloaded now, that the lag is terrible for doing ANYTHING on the service. So, I have to suffer because they wantes to make everyone use a service that they won't give enough capacity to. I always hope that my games support DirectPlay for that reason, not because it's a Microsoft standard, but because at least you're getting a decent set of primative protocols.
  • ...is that on occasion, game companies decide to encode the machine's IP address in the packet, meaning that IPMasq can't pick it up and change it as needed. The server then decodes the packet and tries to get to an IP it can't get to.

    For games like those, you plain can't play over IPMasq.
  • I think the real problem is games where each machine participating in a game has to connect to each other. Quake3 works fine through a firewall, because the only machine you ever talk to is the game server, and it's you that connects to the server. In Tiberian Sun the game won't start, probably because the other players tries to connect to my machine. This can of course be solved by forwarding all connection requests to a specific machine. The problem is when more than one person behind the firewall want to play. But at least Quake3 works fine with two computers behind the firewall playing at the same time.
  • by Pulzar ( 81031 ) on Saturday April 15, 2000 @07:16AM (#1131040)
    I've found the following setup for DirectPlay, Game Zone, Mplayer, and Boneyards somewhere on the web, and it has worked well for me.. You can join and play any DirectPlay games, but you can't serve them. (At least, I couldn't get it to work).

    I remember reading a note that came with this, saying that you need DirectPlay 6+ for this to work, since the previous versions use random port numbers.

    This is a part of the Sygate apprule file, but you should be able to convert it to whatever you need..

    # DirectPlay, Game Zone, Mplayer, Boneyards - Modification tested on 8/16/99
    # Most of DirectPlay games use this rule
    :INIT "DirectPlay"
    OUT TCP 47624 47624 0.0.0.0 0 R
    :SUB
    IN TCP 47624 47624 0.0.0.0 0 0 AD
    IN UDP 2300 2400 0.0.0.0 0 0 AD
    IN TCP 2300 2400 0.0.0.0 0 0 AD
    OUT UDP 2300 2400 0.0.0.0 0 D
    OUT TCP 2300 2400 0.0.0.0 0 D
    IN TCP 9110 9110 0.0.0.0 0 0 AD
    OUT TCP 9110 9110 0.0.0.0 0 D
    IN TCP 9113 9113 0.0.0.0 0 0 AD
    OUT TCP 9113 9113 0.0.0.0 0 D
    IN TCP 28800 29000 0.0.0.0 0 0 AD
    OUT TCP 28800 29000 0.0.0.0 0 D
    IN UDP 8000 9000 0.0.0.0 0 0 AD
    IN TCP 8000 9000 0.0.0.0 0 0 AD
    OUT UDP 8000 9000 0.0.0.0 0 D
    OUT TCP 8000 9000 0.0.0.0 0 D
    :END
  • I run IP Masq at home and have not been able to find a single program I could not forward. That includes Diablo and Starcraft. It works well for http, email (POP3 and IMAP), IRC including identd (if you install Midentd), ftp, telnet, ssh, and games, udp or tcp/ip. It can sometimes be complicated to get the forwarding rules correct. I would suggest visiting freshmeat and searching for ipchains-firewall. This is a handy premade firewall that should configure you ipchains for you if your not interested in reading the HOWTO's.. One comment about Diablo. It only lets one person play on Battlenet at a time. However you should not have to change your rules every time you want to play from a different machine on the network. Simply specify all the addresses that may need that udp port forwared. The first machine that makes a request on that port gets the use until it is finished.
  • Your setup is is soooooo overkill. I only recently upgrade to a P75 with 32 megs of RAM as my firewall, only because my old 486DX33 with 16megs wasn't Y2K compliant. It runs IPMasq, Samba, FSGS server and webserver. It doesn't even sweat.
  • It is relatively easy to MASQ pptp but you must patch your kernel. Here is a good place to start. [wolfenet.com]

    Caveats: I have never used pcAnywhere, and Network Neighborhood browsing doesn't work. I haven't bothered trying to get it going though; I think it's uselessly slow.

  • Drat.

    I was wondering when my next addiction was going to come out. Now it appears that the answer is, "Never."

  • Getting it going might take you some time, especially if you're a novice. You may have to drop everything and start over a couple of times, but if you have patience you'll get it. I've got IPMasq setup and am able to VPN using PPTP, browse Network Neighborhood, and use PCAnywhere to get to any box I want (multiple boxes too). You don't need much power either, mine is running on a P100. Prior to running the Linux box I was using Win98 I can't even begin to describe to you how much happier I am with Linux. If you want to take a look at some howtos go to http://howto.linuxberg.com. Take a look at the IPMasq howto. Best of luck
  • by Denor ( 89982 ) <denor@yahoo.com> on Saturday April 15, 2000 @05:43AM (#1131046) Homepage
    ... the single-box limitation.

    I've seen a few people pointing toward the howto, and saying that it's the definitive answer. Only, the big problem is that Linux's IP masquerading only forwards ports to one specified machine. It's hardcoded in the setup file that you create.
    A good workaround that I've yet to actually try would be to write a shell script on the gateway machine that changes where it's forwarding the ports to, so that more than one machine could take advantage of the feature.
    This does not, however, take care of another problem - while it could be made relatively easy to change which machine on the internal net gets the ports forwarded to it, the port forwarding still only works for one machine at a time.
    If there are ways around this, I'd love to know. Me and my roomates have been itching to try this cable modem out on Battle.net for quite some time now. :)

  • Why are questions like this posted? This is second question in the row that can be answered by reading documentation. Sorry, it's not that hard to read IPMasq HOWTO.
  • by vio ( 95817 )
    Is that so? A little birdie from within the beast itself (Blizzard) tells me they're aware of the fact that diablo/starcraft DO NOT work from behind a NAT/MASQ server and *might* try to fix it. It has nothing to do with Linux Masq'ing and all to do with how they designed their networking. Take Everquest for example - dozens of people can play behind a MASQ'ed Linux box...(apparently "we" are a special set of people )

    And besides, saying "Linux" has it wrong is crazy -- I have yet to find something that does it "right" then (including the "favorites" Sygate and WinGate)

    just some quick thoughts (and a little steam -- those lazt bastards!!!)

  • In order for you to browse the network, NetBIOS traffic has to be passed through the VPN -- not bloody likely with most routers. Alternatively, you can attach to a WINS server on the remote network to browse (which will show you all the WINS-connected machines on the remote network).

    Also, use VNC -- its faster and easier than PCAnywhere, and with a PPTP VPN you have semi-adequate security. Just make sure you log out when you leave. :)

    Aetius
  • Isn't that the site that they mentioned in the article?

    Pablo Nevares, "the freshmaker".
  • If most of it is handled by the HOWTOs and Masq App, why bother posting
    the story? ;)


    So that people can copy and paste from the HOWTOs and get moderated up (+1 INFORMATIVE) for it.


    ====
  • If it's DirectPlay, which is part of DirectX, that is having a lot of problems with masq'ed connections, would Khronos [khronos.org] help (Slashdot story [slashdot.org] here)? Just wondering... since it'll be an open replacement for DirectX, why not include an open replacement for DirectPlay? (Better yet: make a source-compatible wrapper, and no game company would have any excuse!)

  • "This sounds like a job for Open Source
    If DirectPlay is a known API, it may be possible to code a replacement for it which includes additions which is compatible with what DirectPlay does, but includes extensions which allow support for NATs. -- Then make it available to game designers.
    What I'm basically saying is: Take MS's "embrace and extend" and use it in reverse.
    It seems to me that a simple 'fix' to the protocol is to use the last octet of a clients internal IP as a hash to decide which UDP port to use. combine that with the auto-routing of UDP mentioned above, and you have a somewhat hacked solution -- granted, it doesn't work well for larger (i.e. company-wide) private networks, but it would handle most home setups, and the majority of company nets (at least, those that want to allow gaming for their employees!).
    That having been said, I'm not willing to do it myself. I've avoided Wintendos for it's entire live, and I've done ZERO coding for it. The best I could would be to coordinate a project.
    --
  • Yes, I've run UT on a Win98 box behind my OpenBSD NAT box and it works just fine. In my experience setting up *BSD NAT is much easier and less troublesome than Linux's Masq, plus with OpenBSD you get a secure by default OS as your firewall which is extra gravy. --e!
    -------------------------------------------- ---
  • agreed :)
  • What a mess. Every host needs a unique, routed IP address. This hokey "masquerading" stuff has got to go. Time to make the transition to IPv6.
  • by jallen02 ( 124384 ) on Saturday April 15, 2000 @05:37AM (#1131057) Homepage Journal
    It will tell you how to just re direct requests to whatever machine and all.. Its not even hard :)
  • by spaceorb ( 125782 ) on Saturday April 15, 2000 @05:34AM (#1131058)
    Masq Applications [tsmservices.com] (which doesn't appear to be up at the moment) has an index of all known workarounds and fixes to using software and games behind an ipmasq box. I've had a tough time getting everything working right until I checked it out, so it's definately worth a visit.
  • Yup. Works fine here. We had 3 machines on EQ at one time, all masqed by the box and running nicely.
    Gimme a yell if you need to look at my masq setup.

    --
  • I'm wondering if a PII 266 will work allright to be my firewall, gateway to my cable modem for my lan of 2 computers (so i don't get charged for my 2nd ip addy, plus i'm interested in learning). We play alot of Half Life. will be able to play on the same server? and Just how hard is this to set up from a box with nothing on it..?
  • Has anyone gotten Microsoft Flight Simulator(or any of the zone.com games for that matter) to successfully run behind IP Masqurading? And if yes, how? I've been trying to do this but until now, there has been no success.

    It seems that none of the game played through zone.com can be used behind IP Masquerading.

  • I use the 3 line masq solution with ipchains found in many howtos and Ive found it works for multiple machines with my 10 base 2 network(BNC) starcraft, diablo, and everything but worms armagedon and dcc sends work.
  • I haven't tried TA through a linux masq so this may be way off base. Some games actually encode and send the IP of the client machine as part of the data to the server ... masq won't know to translate this and you may need a specific mod. There is no generic way to handle this ... if it was me I'd check the TA forums...
  • This may be slightly off-topic, but I use OpenBSD as my router and soon plan on building a gaming machine. Has anyone had any experiences running multiplayer games through an OpenBSD gateway?
  • Easiest solution I use it to load up a game... Say Unreal Tournament. HAve tcpdump open on my linux box to watch outgoing packets from my game machine. Those packets will show you what port they're trying to acess. (Say, 7777 in UT's case) and wether or not it's TCP or UDP. Then using ipchains and the ipmasqadm autofw wrappper, just forward those ports to that machine. Every game I've tried to play I've used this solution from. Everything from Madden 2000 to UT :)
  • Is that rather than utilizing TCP/IP like it should be used, (relying on the IP headers for soruce/destination addresses) the coders are encapsulating the true source IP inside the packet payload. I've also heard DirectPlay does this. This of course will break MASQing.

    This is becoming such an issue these days I doubt the problem will persist for too much longer.

    sedawkgrep
  • I know some people were talking in a deep-nested node about how UDP masq on Linux is buggy. It seems it is a security hole too:
    Check bugtraq here [securityfocus.com].

    ---
    guillaume

  • Back when I was playing Baldurs Gate multiplayer, I head no end of troubles because they used DirectPlay. Essentially, that meant that a random port between 2300 and 2399 was chosen and thats what you were stuck with. I just setup my FreeBSD boxes NAT to forward each and every one of those ports to the specific IP on my network. It's not terribly hard to figure out the ports you need to use, but you can always look at the forums/tech support pages for the game. I believe there was a BG FAQ entry that mentioned the ports you would need to forward.
  • and everything but worms armagedon and dcc sends work.
    Why wouldnt DCC sends work? Are you using ip_masq_irc? it defaults to port 6667, but you can add more ports by using ports=6666,6668,6669 etc when you do insmod...
  • It never keeps connected more than 5 minutes in a row. If noone in the Linux community cares (about anything else than games) I have to doubt that it could be trusted at all, somebody must have had this problem. And you can't run homebrew ICQ clients on a dedicated firewall, stupid.
  • Take a look at ipmasqadm, and compile in the additional stuff in your kernel. You'll probably find what your looking for, as it dynamically adds different rules for each ip requesting a certain port, therefore you don't have to assign static ips in the rules as before..

    From the man page: (man ipmasqadm)

    DESCRIPTION
    Ipmasqadm is used to configure extra masquerading funcionality, usually provided by additional kernel modules.

    All in-firewall forwarding takes place by reverse-masquerading so you must create firewall rules that must match desired forwarding as-is the connection had been outgoing (instead of incoming).
    --

    Check out the modules portfw, autofw, mfw etc..

  • Hi Slashdotters,
    I just bought my first version of Red Hat from good old CompUSA. What is a CDROM? Which part of the manuals should I read first? Can I run Linux under windows? PS. Dear Editor: Please list this as an Ask Slashdot question.

    What the fuck?!?

    Is Slashdot becoming some lame clone for usenet or mailing lists? This damn article is annoying as hell.

  • Yeah- I've run into the exact same issue with getting certain games to run correctly behind an OpenBSD NAT/Firewall. StarCraft battlenet, Quake 1 have become particularly uncooperative and if anyone has some idea on how to get them working pleeeease tell me.
  • Hmm do you know where I can get ahold of a copy of "qudproxy.c"?
  • I'm using a little 80486 DX2 with 12MBs of RAM for NAT/IPMASQ, DHCP, firewall, web server and a battlenet server simultaneously. So I think you should get off pretty well.

To the landlord belongs the doorknobs.

Working...