My sons play Minecraft.  I recently decided to let them play head to head on the same server.  Aside from the financial aspect (I had to buy a second account) it was fairly straightforward running the server.  The one thing that tripped me up was a firewall rule that prevented a remote client machine from connecting to the server.  Fix was pretty simple.

When running the server, the log showed:

[23:58:50] [Server thread/INFO]: Starting Minecraft server on *:25565

And so I knew that my firewalld configuration would block it. Killing firewalld and flushing the iptables rules confirmed it:

sudo systemctl stop firewalld.service
sudo iptables -F

But I don’t want to run without a firewall.

I want to open port 25565. To do so, I need to figure out what zone holds the firewall rule blocking it, and add a rule that opens this port.

$ firewall-cmd --get-active-zones
public
  interfaces: em1 tun0 virbr0 virbr1 virbr1-nic

Simple enough; I only have one zone (Fedora 21 default setup)

I want to only open this port when I fired up the game, I would probably be better off with a sudo rule that I embedded into the game startup script that opens the port dynamically, but I can do this by hand.

sudo firewall-cmd  --zone=public --add-port=25565/tcp

and then closes it upon shutdown:

sudo firewall-cmd  --zone=public --remove-port==25565/tcp

If I was setting up a machine to be a dedicated server, I would want this port to always be opened.

$ sudo firewall-cmd --permanent --zone=public --add-port=25565/tcp
success

Did that work?

$ sudo firewall-cmd --zone=public --query-port=25565/tcp
no

Not yet. So far I’ve only said that the port should be written down to be opened in general. I want this to be persisted.

$ sudo firewall-cmd --reload 
success
$ sudo firewall-cmd --zone=public --query-port=25565/tcp
yes

Now it is open and will be kept open. How: it gets written in to the firewalld config file. If you run

 sudo less /etc/firewalld/zones/public.xml

In there you should see a line that contains:

  port protocol="tcp" port="25565"

If you decide to disable the server and want to close the port:

$ sudo firewall-cmd --permanent --zone=public --remove-port=25565/tcp
success
$ sudo firewall-cmd --reload 
success
$ sudo firewall-cmd --zone=public --query-port=25565/tcp
no

What if we want to name this port? We know that the client must look for port 25565 Even if it isn’t in /etc/services. We can name this port “minecraft-server” at least for firewalld purposes. Create this file:

sudo vi /etc/firewalld/services/minecraft.xml

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>minecraft</short>
  <description>Port used to allow remote connections to a Minecraft server running on this machine.</description>
  <port protocol="tcp" port="25565"/>
</service>

Now, instead of the above commands:

To query:

 sudo firewall-cmd --zone=public --query-service=minecraft

To Enable:

sudo firewall-cmd --zone=public --add-service=minecraft

And to Disable

sudo firewall-cmd  --zone=public --remove-service=minecraft

And use the –permanant flags and –reload if you want to make these changes survive a reboot.