Firewall

Discussion in 'Systems Administration' started by Xx_Will33_xX, Aug 5, 2019.

  1. Hello,

    I'm currently having some trouble protecting a spigot server on another machine from the BungeeCord

    BungeeCord IP (exemple): 111.111.111.111:25565
    Spigot IP (exemple): 222.222.222.222:33658

    Code (Text):

    iptables -F
    iptables -X
    iptables -I INPUT ! -s 111.111.111.111 -p tcp --dport 33658 -j DROP
    iptables -I INPUT ! -s 111.111.111.111 -p udp --dport 33658 -j DROP
     
    With this rule, users can not connect ConnectTimeoutException

    BungeeCord config:

    Code (Text):

    listeners:
    - query_port: 25565
      motd: '&1BungeeCord'
      tab_list: SERVER
      query_enabled: true
      forced_hosts: []
      ping_passthrough: false
      bind_local_address: true
      host: 111.111.111.111:25565
      max_players: 400
      tab_size: 90
      force_default_server: true
      priorities:
      - auth
      proxy_protocol: false
    network_compression_threshold: 256
    permissions:
      admin: []
    log_pings: true
    connection_throttle_limit: 3
    prevent_proxy_connections: false
    timeout: 30000
    inject_commands: false
    player_limit: 400
    restricted: false
    ip_forward: true
    groups:
      md_5:
      - admin
    connection_throttle: 4000
    log_commands: true
    stats: 37f6d606-278e-4bb0-bbdb-dfd4ab102e35
    online_mode: true
    forge_support: false
    disabled_commands:
    - disabledcommandhere
    servers:
      Skyblock:
        motd: '&1Skyblock'
        address: 222.222.222.222:33658
        restricted: false
     
     
  2. foncused

    Moderator Patron

    Players connect to 111.111.111.111:25565 and the proxy sends them off to the Spigot server (222.222.222.222:33658). Your current iptables lines are dropping traffic to 222.222.222.222:33658 from any source IP other than 111.111.111.111, but you also need to allow traffic from your proxy.

    Basically, the firewall on 111.111.111.111 would need to allow connections to TCP 25565 (and whatever else, e.g. SSH, ICMP) and drop anything not explicitly allowed.
    Code (Bash):
    # Firewall on 111.111.111.111
    iptables -A INPUT -p tcp -m tcp --dport 25565 -j ACCEPT
    iptables -A INPUT -s <your IP> -p tcp -m tcp --dport 22 -j ACCEPT
    # any other rules
    ...
    iptables -A INPUT -j DROP

    Then do the same with the firewall on 222.222.222.222 but with TCP 33658 and specify the source IP of your BungeeCord proxy. You can open UDP too if you want to enable query (I recommend doing so at the proxy level).
    Code (Bash):
    # Firewall on 222.222.222.222
    iptables -A INPUT -s 111.111.111.111 -p tcp -m tcp 33658 -j ACCEPT
    iptables -A INPUT -s <your IP> -p tcp -m tcp --dport 22 -j ACCEPT
    # any other rules
    ...
    iptables -A INPUT -j DROP

    Then your BungeeCord config.yml can be set to host: 0.0.0.0:25565.