Let's build a mc firewall that works.
GPL-3.0 License
This Project aims to protect Minecraft Servers from DDOS attacks.
iptables-persistent
package.The Host Firewall is realized with iptables. It aims to protect against more general threats like port scanning, syn flooding, etc.
The firewall can be imported using the following command:
sudo iptables-restore host_firewall.iptables
Note: This will not be persistent after a reboot. You can use the
iptables-persistent
package to make it persistent.
Imported: This will only handle ipv4 traffic. You should also configure the ipv6 firewall if you have ipv6 enabled.
See the host_firewall.iptables file for the rules.
This firewall is based on a snippet from Maxopoly (snippet).
The Application firewall has been realized with an haproxy. It aims to protect the Minecraft Server from DDOS attacks by limiting the number of connections the bandwidth per IP.
Currently the limits are configured in a way that 2 players can play without any issues.
If the limit is reached, connection should be mitigated to a honeypot for further analysis.
Here is a honeypot that look promising, but it needs haproxy support: [Minecraft-Honeypot]
See the application_firewall.haproxy file for the configuration.
Note: The application firewall does not support bedrock edition yet.
The Application Firewall can be used to blacklist IPs.
To blacklist an IP add the ip or ip range to the /etc/haproxy/blacklist.lst
file.
Or use the import-script to import the blacklist from various sources.
sudo bash blacklist_importer.sh
Note: The blacklist file must be created before starting the haproxy service.
The project is still in development and not yet ready for production use.
The Host and Application Firewall are implemented and can be used.
Feel free to contribute to the project by creating issues or pull requests.
I hope this project can help to protect Minecraft Servers and the game more enjoyable for everyone.