Minecraft Firewall

This Project aims to protect Minecraft Servers from DDOS attacks.

Table of Contents

• Minecraft Firewall
  • Table of Contents
  • Features
  • Host Firewall
  • Application Firewall
    • Blacklisting
  • State of the Project

Features

• Host Firewall
  • Protects the host from general threats like port scanning, syn flooding, etc.
  • Can be imported using iptables.
  • Can be made persistent using iptables-persistent package.
• Application Firewall
  • Protects the Minecraft Server from DDOS attacks.
  • Limits the number of connections and bandwidth per IP.
  • Can be configured using haproxy.
  • Can be used to mitigate connections to a honeypot for further analysis.

Host Firewall

The Host Firewall is realized with iptables. It aims to protect against more general threats like port scanning, syn flooding, etc.

The firewall can be imported using the following command:

sudo iptables-restore host_firewall.iptables

Note: This will not be persistent after a reboot. You can use the iptables-persistent package to make it persistent.

Imported: This will only handle ipv4 traffic. You should also configure the ipv6 firewall if you have ipv6 enabled.

See the host_firewall.iptables file for the rules.

This firewall is based on a snippet from Maxopoly (snippet).

Application Firewall

The Application firewall has been realized with an haproxy. It aims to protect the Minecraft Server from DDOS attacks by limiting the number of connections the bandwidth per IP.

Currently the limits are configured in a way that 2 players can play without any issues.

If the limit is reached, connection should be mitigated to a honeypot for further analysis.

Here is a honeypot that look promising, but it needs haproxy support: [Minecraft-Honeypot]

See the application_firewall.haproxy file for the configuration.

Note: The application firewall does not support bedrock edition yet.

Blacklisting

The Application Firewall can be used to blacklist IPs.

To blacklist an IP add the ip or ip range to the /etc/haproxy/blacklist.lst file.

Or use the import-script to import the blacklist from various sources.

sudo bash blacklist_importer.sh

Note: The blacklist file must be created before starting the haproxy service.

State of the Project

The project is still in development and not yet ready for production use.

The Host and Application Firewall are implemented and can be used.

Feel free to contribute to the project by creating issues or pull requests.

I hope this project can help to protect Minecraft Servers and the game more enjoyable for everyone.