/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! */
I can't find a way to make Starcraft work with multiple *clients* behind the
linux firewall. The root of the problem is that a demasqueraded packet
doesn't go through the forwarding rules. I basically want a demasqueraded
packet to be masqueraded. Allow me to digress:
Machine M1 is 10.1.1.2 and is hosting a Starcraft game.
Machine M2 is 10.1.1.3 and is trying to join M1's game.
The address of the external interface of the linux fw is EXT.
M2 asks bnet what the address of the game host is and bnet tells M2 that
M1's address is udp EXT:61001.
M2 sends a packet M2:6112 -> EXT:61001. This packet hits the fw and is
demasq'd to M2:6112 -> M1:6112. This is *bad*. I really want this packet to
be EXT:61002 -> M1:6112.
M1 receives M2:6112 -> M1:6112 and sends a reply packet M1:6112 -> M2:6112.
M2 never receives a packet from EXT:61001 so it thinks the game is not
responding even though M1 continues to bang away for a while.
Now, if the packet was remasq'd as I'd like, M1 would send M1:6112 ->
EXT:61002 which would be demasq'd/remasq'd to EXT:61001 -> M2:6112. M2 would
receive the packet from "the game" and communication would continue to go
through the firewall for the duration of the game.
I guess a more elegant solution would be to snoop the bnet packets and
rewrite the address of the game sent by bnet to M2 so that M2 thinks the
game is at M1's internal address of 10.1.1.2. But, that's really ugly and I
think that remasqing would be useful for other peer-to-peer situations. I'm
sure if I thought long enough I could even think of a few non-game related
applications.
I tried a bunch of things, including port forwarding, but none of the code
gets executed for a packet that is demasq'd. I'm not sure why this
restriction is made. It would seem to me that you can prevent masq abuse
with various input & output rules.
I was able to get the thing to work by hacking ip_forward.c. For the above
case I set fw_res = FW_MASQUERADE & skipped the check for IPSKB_MASQUERADED
around line 225 (I don't have the original source). Things worked if I put
the card in promiscuous mode.
Questions:
Anyone have a better idea that remasqing?
Anyone know why we don't let a demasq'ed packet go through the masq code?
Anyone feel like writing a module to do this?
Anyone have any documentation for the masq stuff in the kernel? There are a
few comments here and there, but any additional help would be appreciated.
Thanks,
-rick
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
