[clug] iptables for a Minecraft file server

George at Clug Clug at goproject.info
Fri Sep 22 07:48:14 UTC 2017

A simple iptables firewall for a Minecraft server, comments

Thanks Steve for your previous comments, the below example uses

# Delete all existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Allow traffic on loopback
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow all inbound established connections
iptables -A INPUT  -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED

# Allow all outbound established connections
iptables -A OUTPUT -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED

# Enable specific incoming ports for ssh
iptables -A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW --dport 22

# Enable specific incoming port for Minecraft
iptables -A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW --dport
25565 -j ACCEPT

# Enable specific outgoing ports infrastructure support (ssh, dns,
apt, ntp)
iptables -A OUTPUT -o eth0 -p udp -m conntrack --ctstate NEW --dport
53 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m conntrack --ctstate NEW -m
multiport --dport 22,53,80,123 -j ACCEPT

# Enable specific outgoing port(s) for Minecraft (Notes: 443 is by
Minecraft User Authentication. Does not include port 25575 for RCON)
iptables -A OUTPUT -o eth0 -p tcp -m conntrack --ctstate NEW -m
multiport --dport 443,25565 -j ACCEPT

# Allow ping
iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A OUTPUT -o eth0 -p icmp -m icmp --icmp-type 8 -j ACCEPT

# Set default chain policies after opening ports
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP


Minecraft.net authentication == For logging in to Minecraft, address
"login.minecraft.net" is used over port 443 (HTTPS). For joining the
servers a reque..." (and the only contributor was "Kulttuuri [1]"))

Here's what needs to be opened up.  This comes directly from Tobias
Möllstam, Mojang's lead web/network guy.
For logging in login.minecraft.net [2] is used over port 443 (HTTPS)

And for joining the servers a request is sent
to session.minecraft.net [3] over port 80 (HTTP)

[2] http://login.minecraft.net/
[3] http://session.minecraft.net/

More information about the linux mailing list