What are the required outbound IPs and ports on a spigot server?
Note: I am not absolutely sure that the question is on topic, even though this Meta discussion suggests it is. The question is specifically about a game server, not general server administration.
I run a Spigot (Minecraft) server for my children and friends and would like to limit the outbound connections as much as possible (just in case the server is hacked via the application).
Is there a definite list of IPs which are required for the server to:
- Just run
- Run and make all required checks (of plugin versions for instance)
Ideally, for the first case, this list would be empty (I would check manually from time to time) but it may be that there are some IPs which must be reachable.
As for the second case, I saw a few IPs being reached via HTTP during startup:
ec2-54-175-97-178.compute-1.amazonaws.com
ns511765.ip-198-27-66.net
They are resolved from more generic names so they are probably round robin ones (or possibly a load balancer, though it should not expose the internal IPs).
Is there an explicit list of the IPs for these servers?
For any Minecraft Server (including custom ones such as Spigot, Sponge and Bukkit/CraftBukkit), these are the only ports and addresses that you require in and out-bound traffic allowed to:
- Port 25565 (or whatever number you've set the
server-port
variable in yourserver.properties
file) so that clients can connect. - All client's IPs and handshaked ports.
This is dynamic and differs from connection to connection. There isn't really a way to predict the port, but users on the same IP generally means that they're from the same internet connection (within a family household) or VPN... node. With dynamic IP allocation by ISPs, things get a lot more complicated from that point on... Anyway, moving on; -
https://authserver.mojang.com
andhttp://login.minecraft.net
to handle authentication.
Authentication is confirmed both server- and client-side. That's why we have the "User not Premium" error.
Anything else (due to the nature of plugins in Bukkit/Spigot/Sponge), all those other connections, as you said:
As for the second case, I saw a few IPs being reached via HTTP during startup:
ec2-54-175-97-178.compute-1.amazonaws.com ns511765.ip-198-27-66.net
Are probably due to:
- Metrics
- Update Checking
- External Functions (ie. PlotSquared connects to a central server to upload/download schematics when a user chooses to import or export one)
Is there an explicit list of the IPs for these servers?
Try using a nameserver lookup.
ec2-54-175-97-178.compute-1.amazonaws.com = 54.175.97.178
ns511765.ip-198-27-66.net = 198.27.66.94
These are entry-point servers for accepting inputs to cloud services.