Mojang Session Server IPs

Discussion in 'BungeeCord Help' started by AlanZ, Mar 9, 2018.

  1. I'm using iptables as an inbound/outbound firewall. I originally set it up to allow outgoing requests to the session server, but the IPs keep changing! I also had a similar problem with BuildTools downloading the vanilla minecraft server jar. Is there a way to set iptables by hostname so it works even though the IP changes? (This is in BungeeCord Help because it is a BungeeCord server that is failing to connect.)
  2. You can run this plugin and actually see what plugin and stuff is being called
    Pattern recognition is easy when you run it a few times when you start and stop a server, or join and do stuff with plugins.
    The mojang auth servers will also all be listed.
    Just set it to log to file so you can check after the fact and your console doesn't get listings from interceptions.
  3. Maybe I wasn't clear. The issue is that my firewall IS blocking the session server and I don't want it to, causing people to not be able to log in.
    #3 AlanZ, Mar 9, 2018
    Last edited: Mar 9, 2018
  4. Nick

    IRC Staff

    Mojang uses AWS Elastic Load Balancing, so there is no static IP you can allow through the firewall. You could allow all AWS IP addresses, but you're going to have a ton of overhead in doing so. You're probably better off just allowing all outbound traffic--after all, that traffic is only being generated from whatever executables you've already put on the server.
    • Agree Agree x 1
  5. Fine, don't use my recommendation to see the resolve hosts you can simply add to the exception list.
    I tried to help, shrug.
  6. Okay, I'll give that a try. Thanks!
  7. I know the host I need to allow, but iptables only works on IPs. Maybe I don't understand what this tool does. Are you saying I should use this instead of an outgoing firewall?
  8. No, the error is on my part.

    When you use a domain name with an iptables rule, a DNS lookup is performed and the domain name is resolved to an IP address, and the IP address at that particular moment in time is used in the rule.

    This is what I assumed it would do each time, but of course, if the IP changes IPtables isn't doing another lookup to get the latest so it goes through. Apologies for not realising last night what happens the next time it runs into the host.

    I guess the only thing you can do is accept the IP range from AWS if they're known and open port 443?


    Maybe you can run a service that does a lookup and compares it to the rules of iptables, if the ip isn't in there, it adds or replaces it? That way every minute or hour, day whatever, .. you at least have a more recent one. (but that's a patch, not a solution)

    Maybe check with manual on iptables to see if they have a startup param for 'always resolve domains on each hit' or something.
    #8 mrfloris, Mar 9, 2018
    Last edited: Mar 9, 2018
  9. Yeah, there's an idea. Hmm, I'll have to think about that. Thanks!

Share This Page