Firewall Guide

Discussion in 'Wiki Discussion' started by jtaylor69, Sep 10, 2013.

  1. jtaylor69

    jtaylor69 Retired Moderator

    Firewall Guide

    Firewall Guide

    Securing your BungeeCord network

    The best way to fool-proof and secure your BungeeCord server is using a firewall in order to prevent access to them at all from the outside world. By default, most Linux distros come preinstalled with the easy to use iptables. Once you have everything set up you can activate this firewall with the command below. Replace $BUNGEE_IP with the IP of the server running BungeeCord, if your Minecraft server(s) and Bungeecord are on the same physical server, this IP will be Replace $SERVER_PORT with the port of your Minecraft server.

    Please note that all commands must be run as root.

    Installing iptables(top)

    Installation of the iptables software to your machine is fairly straightforward depending on your distribution of Linux. Note that Windows Server does not come with iptables pre-installed.

    RedHat/CentOS Distributions(top)

    Code (Text):
    sudo yum install iptables

    Debian/Ubuntu Distributions(top)

    Code (Text):
    sudo apt-get install iptables

    Firewalling with iptables(top)

    Code (Bash):
    iptables -I INPUT ! -s $BUNGEE_IP -p tcp --dport $SERVER_PORT -j DROP
    Alternatively if you have multiple Minecraft servers running instead of writing a rule for each server and its port you can use the following command to add a port range which will be blocked by the firewall. Replace $START_PORT and $END_PORT with your desired port range, don't forget the colon in between.

    Code (Bash):
    iptables -I INPUT ! -s $BUNGEE_IP -p tcp --dport $START_PORT:$END_PORT -j DROP

    Saving iptables rules(top)

    You must make these rules automatically apply each reboot. The commands used to do this vary depending on which Linux distribution you use:

    RedHat/CentOS Distributions(top)

    Code (Bash):
    /etc/init.d/iptables save

    CentOS 7 / RHEL(top)

    Code (Bash):

    Debian/Ubuntu Distributions(top)

    Code (Bash):
    apt-get install iptables-persistent
    dpkg-reconfigure iptables-persistent

    Resetting iptables(top)

    If at any time you find yourself unable to connect to your servers after updating iptables rules, simply enter this command to completely reset it:
    Code (Bash):
    iptables --flush

    Sample scripts(top)

    The code below is an iptables script for multiple dedicated machines with multiple servers by PhanaticD. Make a file called and paste the script below into it. Make necessary modifications to match your IPs and ports.
    Code (Bash):
    iptables -F #remove all existing rules
    iptables -X #remove all existing chains
    iptables -N bungee # create a new chain for bungee

    # Which IPs do you want to allow
    iptables -A bungee --src -j ACCEPT
    iptables -A bungee --src -j ACCEPT
    # etc
    iptables -A bungee --src -j ACCEPT

    # block anything not from the those IPs
    iptables -A bungee -j DROP

    # which ports will the above IPs be allowed to work on.
    # all other ports not here will not be limited
    iptables -I INPUT -m tcp -p tcp --dport 25565 -j bungee
    iptables -I INPUT -m tcp -p tcp --dport 25565 -j bungee
    # etc
    To execute the script, type:
    Code (Bash):
    chmod +x

    Using "ufw", or Uncomplicated Firewall, you can achieve the same effect as setting up iptables. Use the following code if ufw is installed:
    Code (Bash):
    ufw allow from localhost to any port 25565 proto tcp


    If you cannot configure a firewall, there are plugins which will allow you to achieve a similar result. Keep in mind third party plugins are not as secure as a firewall, and should only be used when a firewall is impractical (for example when using a shared host).

    Popular plugins to achieve this are:

    Be wary that the latter two of these plugin solutions may not fully protect you, given the following example.

    You have three Minecraft services on a shared host:

    1. BungeeCord running on
    2. Spigot Server #1 running on
    3. Spigot Server #2 running on
    4. IPWhitelist setup, on Spigot Server #1 and #2.

    If a malicious user purchases hosting from the same company, and are assigned to the same node as you*, all they have to do is setup their own BungeeCord, and they will be able to bypass plugins that restrict logins per-IP.

    *If not, the malicious user may be able to port-scan the server and reveal other Minecraft servers and target their owners (who have their server on the same node) to let them use their hosting account.
    • Useful Useful x 5
    • Winner Winner x 2
    • Like Like x 1
    • Informative Informative x 1
  2. Excellent tutorial.
    • Agree Agree x 5
    • Disagree Disagree x 1
  3. Hey!
    For my windows peeps who don't feel like installing Linux due to laziness, and are running all the servers on the same machine:
    A way around this would to be using a Linux machine you already have - your network router.
    Turn your port firewall on and only port forward the Bungee port

    Tested with a server running Windows 7, and <unknown network router>, but regardless of model port-forwarding should theoretically work in the same way.

    For those wanting to use Bungee on Windows and hosting on multiple machines, I have not found a solution as of yet.
  4. Thank you for Tutorial
  5. yeah, but in spigot.yml if I set to bungeecord=true , people who try to connect will get a message that says t connect through the bungee server.
    Can they still somehow log in ?

    And wouldn't they be in offline mode anyways, so no ranks, no op, no permissions (blank noob profile UUID hash)
  6. simpleauthority


    The idea is to run Bungee in online mode and run your nodes/servers in offline mode. In this way Bungee will authenticate with the Minecraft servers (how a server normally would) and pass the player's profile on to the receiving server. So you'll want to run your Spigot instances in offline mode, and configure them in such a way that they can not be connected to without Bungee being the proxy.

    Hopefully this answered your question. I'm taking a shot in the dark, because I'm not sure what your question is.
  7. Yes because Bungeecord=true REQUIRE a BungeeCord. They would need to join the server through it. No other way around it.
  8. Awesome thread, I'd just suggest you add a warning about the power of IP tables. Wouldn't be surprised if some people lock themselves out by making silly mistakes!
  9. ssamjh


    +1 did this, thank God for the emergency ssh thing hosts have
  10. An alternative to using a firewall is just keeping your internal servers on internal interfaces. Have them listen network local or machine local addresses (127.0.0.x, anything not routable by a internet facing interface, like 198.162.x.x). Then if you need to connect from off the machine or outside the private network, use a vpn.

    The way i am trying to work my bungee setup is with each server inside a docker container, so they each get their own private network interface. Then I can expose each interface to the bungee container to allow it to proxy to them.

    RE: firewalling yourself out of ssh:

    I generally ALWAYS have separate IP for administrative services like SSH and user facing services like minecraft and web. Its just good practice to isolate different service roles from each other whenever possible.
    #12 optimusbrine, Nov 14, 2015
    Last edited: Nov 14, 2015
    • Agree Agree x 1
  11. I dont quite understand the firewalls as i am a bit noob to it :p , well i know what firewalls are etc just ot how it works on multiple machines.
    Currently i have no active firewall as such but i ahve bungee as true , and each server (4 servers) as false , each server properties have ip as so should be fine and also in spigot bungeecord true so im fairly confident but not 100% it is secure currently.
    But i want to add a 2nd dedicated server , which server do i add iptables to or do i do it to both ? if i just add the iptable to new 2nd dedi i can do it so it shows the bungee main ip and only allow connections from that ?
    Any help would be great :)
  12. Thanks for this.
  13. thanks for share bro,it really helped me a lot i was very very very very lost :p

    - BlurGraphics
  14. Warning to those who plan to use iptables --flush. It blocked all ports on my server so I had to call my colocation provider to have them login to the server and stop and remove the iptables service which resulted in several hours downtime + administration fee.
    • Informative Informative x 1
  15. Good tutorial brother ;D
  16. It's definitely a nice guide, however, I'd have named it "Linux firewall guide". Because well, there's more than just Linux out there ;)
  17. For Centos 7+, RHEL and OpenSuSE:
    Code (Text):
    firewall-cmd --zone=public --remove-port=25565/tcp --permanent
    firewall-cmd --zone=drop --add-port=25565/tcp --permanent
    firewall-cmd --reload
    NB: Only use 'firewalld --reload' if your previous firewall rules have been created with --permanent. If you have previously added firewall rules without this option, redo them with it before reloading.
  18. This guide should drop iptables altogether and use ufw for everything. It makes it so much easier for beginners. There's no point in using iptables directly anymore, it's way too error-prone.