Firewall Guide

May 31, 2017
Firewall Guide
  • Firewall Guide

    Securing your BungeeCord network



    The best way to fool-proof and secure your BungeeCord server is using a firewall in order to prevent access to them at all from the outside world. By default, most Linux distros come preinstalled with the easy to use iptables. Once you have everything set up you can activate this firewall with the comand below. Replace $BUNGEE_IP with the IP of the server running BungeeCord, if your Minecraft server(s) and Bungeecord are on the same physical server, this IP will be 127.0.0.1. Replace $SERVER_PORT with the port of your Minecraft server.

    Please note that all commands must be run as root.


    Installing iptables(top)

    Installation of the iptables software to your machine is fairly straightforward depending on your distribution of Linux. Note that Windows Server does not come with iptables pre-installed.

    RedHat/CentOS Distributions(top)

    Code (Text):
    sudo yum install iptables

    Debian/Ubuntu Distributions(top)

    Code (Text):
    sudo apt-get install iptables

    Firewalling with iptables(top)

    Code (Bash):
    iptables -I INPUT ! -s $BUNGEE_IP -p tcp --dport $SERVER_PORT -j DROP
    Alternatively if you have multiple Minecraft servers running instead of writing a rule for each server and its port you can use the following command to add a port range which will be blocked with the firewall. Replace $START_PORT and $END_PORT with your desired port range, don't forget the colon in between.

    Code (Bash):
    iptables -I INPUT ! -s $BUNGEE_IP -p tcp --dport $START_PORT:$END_PORT -j DROP

    Saving iptables rules(top)

    You must make these rules automatically apply each reboot. The commands used to do this vary depending on which Linux distribution you use:

    RedHat/CentOS Distributions(top)

    Code (Bash):
    /etc/init.d/iptables save

    CentOS 7 / RHEL(top)

    Code (Bash):
    iptables-save

    Debian/Ubuntu Distributions(top)

    Code (Bash):
    apt-get install iptables-persistent
    dpkg-reconfigure iptables-persistent

    Resetting iptables(top)

    If at any time you find yourself unable to connect to your servers after updating iptables rules, simply enter this command to completely reset it:
    Code (Bash):
    iptables --flush

    Sample scripts(top)

    The code below is an iptables script for multiple dedicated machines with multiple servers by PhanaticD. Make a file called firewall.sh and paste the script below into it. Make necessary modifications to match your IPs and ports.
    Code (Bash):
    iptables -F #remove all existing rules
    iptables -X #remove all existing chains
    iptables -N bungee # create a new chain for bungee

    # Which IPs do you want to allow
    iptables -A bungee --src 111.111.111.111 -j ACCEPT
    iptables -A bungee --src 222.222.222.222 -j ACCEPT
    # etc
    iptables -A bungee --src 127.0.0.1 -j ACCEPT

    # block anything not from the those IPs
    iptables -A bungee -j DROP

    # which ports will the above IPs be allowed to work on.
    # all other ports not here will not be limited
    iptables -I INPUT -m tcp -p tcp --dport 25565 -j bungee
    iptables -I INPUT -m tcp -p tcp --dport 25565 -j bungee
    # etc
    To execute the script, type:
    Code (Bash):
    chmod +x firewall.sh
    ./firewall.sh

    Using "ufw", or Uncomplicated Firewall, you can achieve the same effect as setting up iptables. Use the following code if ufw is installed:
    Code (Bash):
    ufw allow from localhost to any port 25565 proto tcp

    Alternatives(top)

    If you cannot configure a firewall, there are multiple plugins which will allow you to achieve a similar result. Keep in mind third party plugins will never be as secure as a firewall, and should only be used as a last resort.

    Popular plugins to achieve this are:


    However, these plugin solutions may not fully protect you, given the following example.

    You have three Minecraft services on a shared host:

    1. BungeeCord running on 22.256.113.64:30000
    2. Spigot Server #1 running on 22.256.113.64:30001
    3. Spigot Server #2 running on 22.256.113.64:30002
    4. IPWhitelist setup, on Spigot Server #1 and #2.

    If a malicious user purchases hosting from the same company, and are assigned to the same node as you*, all they have to do is setup their own BungeeCord, and they will be able to bypass plugins that restrict logins per-IP.

    *If not, the malicious user may be able to port-scan the server and reveal other Minecraft servers and target their owners (whom have their server on the same node) to let them use their hosting account.
  • Loading...
  • Loading...