Firewall Help

Discussion in 'BungeeCord Help' started by mgsolidus, Jul 5, 2015.

  1. Hey all.

    Reading the firewall guide and I'm a little confused...
    Let's imagine this is my setup:

    1.1.1.1:25565 - HUB (bungee) SERVER

    2.2.2.2:25565/25566/etc.. - OTHER (spigot) SERVERS (completely different machines btw)

    So if I'm understanding correctly, I DROP all connections to the "other servers"? Currently I have all ports with spigot servers open and accepting connections.

    Thank you.
     
  2. Bungee is on port 25565 and hub would be on 25566 and other spigot servers would be on 25567 and so on.
     
  3. I know, that's the setup I've got almost. Here's what I have,
    Server 1 in Kansas - Bungee on 25565 and Hub on 25566
    Server 2 in Chicago - 12 servers from 25565-25576

    But it's this what confuses me,

    Code (Text):
    iptables -I INPUT ! -s $BUNGEE_IP -p tcp --dport $START_PORT:$END_PORT -j DROP
    it's telling me to drop, essentially block, all connections to ports 25565 to 25576 on server 2?
     
  4. Don't block 25565, that's the bungee server.
     
  5. Not on server 2 ;)
     
  6. I know.
     
  7. So.... anyone who actually understands my posts want to chime in?
     
  8. Okay, so I guess this only allows to connections to bungee connected servers if you are connecting FROM the bungee IP? For me, it just denies access to the remote servers completely.
     
  9. Just making sure, sorry ... Are the IPs static?
     
  10. Yes.
    using 1.1.1.1 for bungee and hub
    using 2.2.2.2 for spigot servers on a different machine
     
  11. What you want is 2.2.2.2 to allow all incoming connections from 1.1.1.1 and 1.1.1.1 to allow all incoming connections from 2.2.2.2 for communication. 2.2.2.2 needs to have 25565 open for all. You will also want basic Ports open, like 21 FTP or 80 Webserver.
    Am I getting you right?
     
  12. I think so. Is this correct?

    Code (Text):
    iptables -I INPUT ! -s 1.1.1.1 -p tcp --dport 25565:25576 -j DROP
    where 1.1.1.1 is the bungee server. This is what I did on the second server (2.2.2.2), and it blocked anyone from accessing the servers.
     
  13. Code (Text):
    iptables -I INPUT ! -s 1.1.1.1 -p tcp --dport 25565:25576 -j ALLOW
    would be correct. You want to ALLOW the connection, not DROP it.
     
  14. That was why I'm confused, the firewall guide says to DROP.
    So I guess I've done it correctly after all... right now nobody can connect to servers without going through bungee first. Trying to connect directly to a server results in this,
    "If you wish to use ip forwarding please enable it in your bungeecord config as well"

    Which is a strange message given that I have ip forwarding enabled.
     
  15. Then you've done it wrong. I'd like to refer you to: https://www.spigotmc.org/threads/my-server-was-hacked-exploit.42651/#post-485515

    Try
    Code (Text):
    iptables -A INPUT -p tcp -s 1.1.1.1 --dport 25565:25576 -j ACCEPT
    instead and remove the previous rule if possible, maybe flush entire IPTables if you didn't have any other rules.
     
  16. That was what I did first, but I was confused because the documentation says to DROP.
    I've also got ports 25565:25576 listed in TCP_IN for CSF too. Maybe that's a bad idea.