[clug] iptables for a Minecraft file server
George at Clug
Clug at goproject.info
Fri Sep 22 07:48:14 UTC 2017
A simple iptables firewall for a Minecraft server, comments
anyone?
Thanks Steve for your previous comments, the below example uses
conntrack
# Delete all existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Allow traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow all inbound established connections
iptables -A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED
-j ACCEPT
# Allow all outbound established connections
iptables -A OUTPUT -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED
-j ACCEPT
# Enable specific incoming ports for ssh
iptables -A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW --dport 22
-j ACCEPT
# Enable specific incoming port for Minecraft
iptables -A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW --dport
25565 -j ACCEPT
# Enable specific outgoing ports infrastructure support (ssh, dns,
apt, ntp)
iptables -A OUTPUT -o eth0 -p udp -m conntrack --ctstate NEW --dport
53 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m conntrack --ctstate NEW -m
multiport --dport 22,53,80,123 -j ACCEPT
# Enable specific outgoing port(s) for Minecraft (Notes: 443 is by
Minecraft User Authentication. Does not include port 25575 for RCON)
iptables -A OUTPUT -o eth0 -p tcp -m conntrack --ctstate NEW -m
multiport --dport 443,25565 -j ACCEPT
# Allow ping
iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Set default chain policies after opening ports
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
Resources
https://minecraft.gamepedia.com/Server.propertieshttps://wiki.education.minecraft.net/wiki/index.php?title=Ports
Minecraft.net authentication == For logging in to Minecraft, address
"login.minecraft.net" is used over port 443 (HTTPS). For joining the
servers a reque..." (and the only contributor was "Kulttuuri [1]"))
https://groups.google.com/forum/#!topic/minecraft-teachers/WqmFsefKKLo
Here's what needs to be opened up. This comes directly from Tobias
Möllstam, Mojang's lead web/network guy.
For logging in login.minecraft.net [2] is used over port 443 (HTTPS)
And for joining the servers a request is sent
to session.minecraft.net [3] over port 80 (HTTP)
Links:
------
[1]
https://wiki.education.minecraft.net/wiki/Special:Contributions/Kulttuuri
[2] http://login.minecraft.net/
[3] http://session.minecraft.net/
More information about the linux
mailing list