No announcement yet.

Securing Your UT3 Linux Server With DMZ & UFW

  • Filter
  • Time
  • Show
Clear All
new posts

    Securing Your UT3 Linux Server With DMZ & UFW

    Hey everyone.

    My name's Eric and I run a rather large LAN party, BurningLAN, in York, PA. While not running the events I host a private UT3 internet server for those who attend, and I thought that I would share a bit of knowledge with you.

    While I read over the threads here, I noticed that people who wished to host behind a router could not do so because either:
    1. They could not get ports forwarded correctly, and/or
    2. They did not want their server on a DMZ due to fears of being wide open to the big scary internet.

    Now, I have come across a few threads that detailed all sorts of workarounds, which some claimed worked and some insisted did not. I am posting to help those of you out who are having trouble with these issues.

    Now, before I begin, I would like to state my qualifications for you. I am a CCNA, CCNP, A+, Network+, Security+, Linux+, MCSA, MCSE, MCDST. In other words, I know what I'm doing, so please don't take me for being "just some kid who likes computers and UT3". Thanks.

    Now, on to the securing.

    As I said before, people generally are afraid to put their UT3 server on a DMZ for security reasons. This is perfectly understandable, but a DMZ is the best way to get your server listed and functioning correctly.

    Note: While port forwarding technically does work, it can put quite a bit of pressure on home routers, which is why I don't recommend it for anyone with a router that doesn't have an Network Processing Unit (NPU) built-in.

    Now. Securing your UT3 server with this guide requires a few things:
    • You must have a router with DMZ capability.
    • You must be running some sort of Linux. I highly recommend Ubuntu Server, as it is extremely stable and has just about everything you'll need for the rest of the guide.
    • A basic knowledge of terminal commands. I administer the server over SSH, and I recommend you do the same. It has it's advantages.
    • If you don't have Ubuntu Server, you'll need the Uncomplicated Firewall (ufw). There are many other linux firewall solutions out there, but this is one that is easy to configure, and is extremely secure. If you're running a Debian distro, open a terminal and type "sudo apt-get install ufw". There you go.

    After analyzing my UT3 traffic for about a month, I've compiled this list of ports that seem to be in use on a normal UT3 server with GameSpy enabled (props to for providing the names of the services).

    • 6500 (Query)
    • 6515 (Dplay UDP)
    • 7777 (Port for UT3 - default is 7777, you can change in server setup)
    • 13000 (Port for UT3)
    • 13139 (Custom UDP Pings)
    • 27900 (Master Server UDP Heartbeat)

    • 3783 (Voice)
    • 6667 (IRC)
    • 28900 (Master SErver List Request)
    • 29900 (GP Connection Manager)
    • 29901 (GP Search Manager)

    First thing's first. DMZ your server's IP with your router.

    Cool. Now, there are a couple of ways you can set up your server's UFW firewall. Because UFW's default policy is "deny all incoming traffic", it's wise to configure ports first, then enable it (UFW is disabled by default).

    The first way you can achieve this is by simply adding every UT3 port to the list of allowed/open ports. You can do this by typing:

    sudo ufw allow port/protocol
    e.g. sudo ufw allow 80/tcp
    This method, as you can guess, is... well, insane and inefficient, and you will probably get frustrated when you see the giant list of ports when you type:

    sudo ufw status
    The second way is much better. UFW supports what are called Application Profiles, which are essentially aliases for a set of ports and will put a nice clean entry into your list: "UT3 Internet Server". How do we do this? It's very simple. Open up a terminal or an SSH session:

    cd /etc/ufw/applications.d/
    sudo wget
    sudo ufw app-update --add-new ut3
    sudo ufw allow "UT3 Internet Server"
    To open up SSH:

    sudo ufw allow OpenSSH
    And enable the firewall:

    sudo ufw enable
    Sweet. Now only the necessary ports are open to run your UT3 server, and SSH!

    Got problems? Post 'em, I'll monitor the thread.

    Very nice thread!
    Hope Epic will release soon final linux server version of UT3.