iptables is the standard firewall software. The syntax is a little bit difficult, but luckily, lots of it can be reproduced very easily since the firewall behavior is very similar for each port. iptables is installed by default with the following rules, but you must use these steps to manually add any other different ports (at least the add and save functions).
MineOS Turnkey comes with 22, 8080 (old MineOS only), 8443 (new, node webui only) and 25565 open by default. Any additional ports (for additional servers or alternative ports) must be opened up manually. Only MineOS Turnkey can be released with pre-configured firewalls; other distributions (such as Ubuntu, CentOS, etc.) typically operate unsecured upon fresh installation (no rules in place); it is recommended to then add these rules to secure the server.
Establishing iptables rules
Checking iptables rules
Your actual rules may differ slightly.
Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:8080 ACCEPT tcp -- anywhere anywhere tcp dpt:25565 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
A not-yet configured iptables policy is to ACCEPT all input, output, and forward packets. This is an unsecured state. The proper way to secure a server is to lock out ALL inbound contact, and individually add only that which you need. I have determined the following rules to be useful for all MineOS deployments. You should review each port to see if this is the case.
Note: if you are completing this step via PuTTY, it is essential you 'ACCEPT' ssh before you change the default policy to 'DROP'. The order these are listed in is significant.
|iptables -P INPUT ACCEPT||matched||unaffected||*||ACCEPT||All unmatched packets are ACCEPTED (policy change)|
|iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT||matched||unaffected||22 (SSH)||ACCEPT||Allow SSH inbound|
|iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT||matched||unaffected||8080||ACCEPT||Allow webui on HTTPS (python webui only)|
|iptables -A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT||matched||unaffected||8443||ACCEPT||Allow webui on HTTPS (nodes webui only)|
|iptables -A INPUT -p tcp -m tcp --dport 25565 -j ACCEPT||matched||unaffected||25565||ACCEPT||Allow MC clients inbound|
|iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT||matched||unaffected||*||ACCEPT||Permit packets in to firewall itself that are part of existing and related connections.|
|iptables -P INPUT DROP||matched||unaffected||*||DROP||All unmatched packets are dropped (policy change)|
Modifying iptables rules
The above listed rules are applied by default. Most of the time you will only need to add additional rules and commit them to disk. For example, to open up an additional Minecraft server port, you might type:
iptables -A INPUT -p tcp -m tcp --dport 25570 -j ACCEPT
You can then test the connectivity, and if all works as expected, save iptables-rules.
Removing individual rules can be done by replacing the -A (append) with -D (delete).
iptables -D INPUT -p tcp -m tcp --dport 25570 -j ACCEPT
Alternatively, you can list each of the rules by number using --line-numbers and remove it by its number iptables -D INPUT 5:
iptables --list --line-numbers
root@mineos ~# iptables --list --line-numbers Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere 2 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 3 ACCEPT tcp -- anywhere anywhere tcp dpt:8443 4 ACCEPT tcp -- anywhere anywhere tcp dpt:25565 5 ACCEPT tcp -- anywhere anywhere tcp dpt:25566 6 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED root@mineos ~# iptables -D INPUT 5 root@mineos ~# iptables --list --line-numbers Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere 2 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 3 ACCEPT tcp -- anywhere anywhere tcp dpt:8443 4 ACCEPT tcp -- anywhere anywhere tcp dpt:25565 5 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Making changes permanent
Once you have a working set of rules you are happy with, save them to ensure they persist through reboots.
iptables-save > /etc/iptables-rules
Applying saved rules
To apply the set of rules generated by iptables-save, execute the following line:
iptables-restore < /etc/iptables-rules
Applying rules on startup
/etc/rc.local is the boot-up script. Any user-specified commands may be entered here, such as iptables. iptables is already autostarted by default.
- vi /etc/rc.local
- Add iptables-restore < /etc/iptables-rules
- Save and quit; reboot
Permitting all traffic
Permitting all traffic by turning off all firewall rules is not advised, but is sometimes useful temporarily in order to better troubleshoot an issue, such as starting Minecraft servers on non-standard ports or using any addons (such as connecting through MySQL remotely or voip apps). These steps are temporary and will be reverted on server reboot:
- Accept all traffic by default
- Flush all existing rules
iptables -P INPUT ACCEPT iptables -F