Do I need to open ports in my firewall to see LAN games on Minecraft? If so, which?

Solution 1:

Newer Fedora versions (Fedora 18 and onwards) use Firewalld to manage iptables rules. The iptables service that loads rules out of /etc/sysconfig/iptables is not present by default. A bunch of my answer involves manually bashing about in iptables rules. This is a bit of new ground for me, as my main experience with firewalld up to this point has been making a beeline back to traditional reading of iptables rules out of the save file. Most of the firewalld information was collected on the fly based on the iptables rules that it implemented.

I double-checked this on a Fedora 20 VM that I've been fiddling with. When a rule is set in firewall-config, the packet for a new connection must go through the following steps to be accepted.

  1. New packet hits INPUT chain. Packets in existing connections are automatically accepted.
  2. All prospective connections from the outside are sent to the either the INPUT_ZONES_SOURCE chain or INPUT_ZONES chain, based on whether they were picked out based on source IP or the interface the packet came in on. The logic within each is pretty much the same, other than the IP/interface note. I'll be focusing on INPUT_ZONES_SOURCE for my example.
  3. I added my Minecraft rule to the 'home' zone, so I had added an entry in home->sources stating that packets coming from the network address of 10.20.30.0/24 were coming from home. In INPUT_ZONES_SOURCE, there was a rule that would send all packets coming from that IP range to the IN_home chain.
  4. In the IN_home chain I had three chains dedicated to specific tasks: IN_home_log, IN_home_deny (this was empty, as I hadn't set anything), and IN_home_allow.
  5. IN_home_allow held all of the allowed services for the 'home' zone, including the 25565 rule that I had just put in. Though I didn't start up a Minecraft server or bind anything else to TCP/25565, I could see that some other default rules did record that packets were being accepted, so traffic was being evaluated against this rule.
  6. Any rule that does not get accepted will eventually splatter against the last rule of the INPUT chain. The final rule will reject any packet that is still on the chain.

To get to the point of my explanation, could I confirm that you've set an input interface or a IP address/range for the zone that you're allowing the port in? You've placed a rule to allow the port in a given zone, but it sounds as though the packet doesn't have a way to reach that rule and be accepted.

You can list a table using iptables -nvL. Firewalld sets up a lot of chains, so if you want to take a look at one in particular, add the chain name as an argument: iptables -nvL <chain-name>. If you can see numbers greater than zero in the lefthand columns, this means that packets have reached and triggered the rule. (The action the rule takes is in the third column).

To force your firewall to accept everything, and to see if something along the line is causing you grief, you could stop the firewalld service altogether temporarily.

systemctl stop firewalld

You can alternately flush the tables with iptables -F, though I'm not sure when/if firewalld will repopulate the chains on their own without a rule change to prompt it to do so.

Hopefully this will solve your issue. But if you want/need to go to a custom iptables layout by having the firewall load its rules out of /etc/sysconfig/iptables, you will need to install and enable the service, as well as disable firewalld.

  1. Install iptables service: yum install iptables-services
  2. Stop Firewalld: systemctl stop firewalld
  3. Disable Firewalld: systemctl disable firewalld
  4. Start the iptables service (If you don't have an /etc/sysconfig/iptables at this point, this won't do anything): systemctl start iptables
  5. Enable the iptables service: systemctl enable iptables

Solution 2:

No you do not need to forward ports for playing on LAN. Port Forwarding is only for connections that are leaving/incoming through your router, ie. internet game hosting. It's part of something called Network Address Translation, NAT for short. Without going into too much technical detail, basically it's a clever way routers hide/protect your computer from being exposed on the public internet. So, in order to allow public internet computers to talk to your computer, you have to "expose" certain ports that the router will allow to talk to your computer. Anything that's going on within your local network, LAN, does not need to go out to the public internet, so NAT is not involved, and therefore no port forwarding needed.

Now, there can be other things at play, such as if you or your buddy have installed any 3rd party Firewall software on your computer, it may be blocking the game. If so, either temporarily disable it, or tell it to allow your game to make connections. For the normal Windows firewall built into Vista and up, it will ask you if you want to allow the program to talk to the network (LAN) usually the first time you run it.

Solution 3:

It is necessary to open UDP port 4445, commonly used for the service upnotifyp. I tested this across a couple games and, since it's actually a registered port rather than the random ones Minecraft usually chooses, I think it can safely be assumed to be consistent across games. I hope someone else finds a use for this, it took a fair amount of effort to figure out what was wrong.