IPtables Assistance

Discussion in 'Systems Administration' started by TailzPrime, Oct 8, 2019.

  1. This year I came into ownership of a small PVP server and I've had to teach myself a lot of backend stuff as best as I could. We recently got UUID spoofed. I *think* it's where I inadvertently had my lobby's (my main and default server) IP set to 0.0.0.0 in the server.properties file (which I've now changed to 127.0.0.1). I read in the Spigot setup for Bungee that if proxy and server are on the same machine (we ARE using a dedicated server running Debian 9) that just setting our IPs to 127.0.0.1 is enough. It said that if we were on a shared machine that we should use the iptables firewall. Just to be safe I've tried running this command: iptables -I INPUT ! -s 127.0.0.1 -p tcp --dport 25501:25589 -j DROP using both the 127.0.0.1 address as well as our actual server IP, and both prevent me from logging on to the server. I've read some of @PhanaticD entries in the Spigot forums but I'm still not 100% on everything. Do I need to setup iptables? And if so am I doing something wrong with this command? I tried a couple of scripts but they kept having issues with 'Invalid target name' when it came to the DENY or ALLOW or even with the 'bungee' chain name. I am also looking at getting the BungeeGuard (2 part) plugin to help prevent any future issues, does anyone have any input on the effectiveness or need of that? Thanks so much!!
     
  2. MikeA

    MikeA Retired Moderator
    Retired Benefactor

    Run these on the system that is running the Spigot (backend) servers.
    Code (Text):
    iptables -A INPUT -p tcp --dport SPIGOT_PORT_HERE -s BUNGEE_IP_HERE -j ACCEPT
    iptables -A INPUT -p tcp --dport SPIGOT_PORT_HERE -j DROP
    Replacing the texts with the Spigot server port and the Bungee IP of course. If you're on a shared hosting system ask the host to do it, most should do it, it only takes a few seconds. If their concern is the port being recycled in the future and affecting another client ask them to change the port to something in the 10000-15000 range.

    If you host everything yourself on a single dedicated server then no need to do that. Just run the Spigot servers on 127.0.0.1 (localhost) and only your Bungee server will be able to connect anyways.
     
    • Useful Useful x 1
  3. Thank you so much for the feeback @MikeA !! I will keep the iptables info on hand for any shared hosting in the future. We are currently on a dedicated server and I've gone through and made sure all the Spigot servers are using 127.0.0.1 in the server.properties. I just wanted some confirmation that I had it set correctly. Thank you again for the help, I truly appreciate it!!