Minecraft – Do I need to open ports in the firewall to see LAN games on Minecraft? If so, which

linuxminecraft-java-editionminecraft-java-edition-server

Lately I've been having some trouble with Minecraft LAN games. Not with hosting them or even with joining them exactly, but with seeing them at all. Here's the situation:

  • I am not able to see Minecraft LAN games on my multiplayer screen automatically
  • I can see them if I add them as I would a server on the internet
  • I can join them if I add them, or if I connect to them directly

Basically, I can join games but not find them automatically. It just says "Scanning for games on your local network…" indefinitely. My current theory is that while joining games obviously doesn't require opened ports discovering them might – is this the case?

As far as I know I can't permit specific applications through my firewall (I'm on Linux, and not that I'd care to just give a blanket permit to Java in any case) so I can't test this without having some idea of what ports would be required. It's also possible it's another issue pertinent to Linux or something else altogether, though.

This isn't a huge deal as I can just ask what port the server is being hosted on, but it's been bugging me. Oh, and in case anyone comes across this question with a similar problem, I'm just going to reiterate:

You can join the game by connecting to it directly, just ask for the port. The person hosting will receive a message with it when they open the game. Then you can directly connect to it at (probably) 192.168.#.###:####.

UPDATE: Hosting on LAN works fine, I just can't see the games others host. Additionally, I should clarify I actually mean opening ports on my local firewall, I said port forwarding but that was not actually what I meant.

For a further clarification, this isn't isolated to one person – I've tried with both my brothers, neither of whom is using any special security software that I know of. And they can see each others'.

Best Answer

Newer Fedora versions (Fedora 18 and onwards) use Firewalld to manage iptables rules. The iptables service that loads rules out of /etc/sysconfig/iptables is not present by default. A bunch of my answer involves manually bashing about in iptables rules. This is a bit of new ground for me, as my main experience with firewalld up to this point has been making a beeline back to traditional reading of iptables rules out of the save file. Most of the firewalld information was collected on the fly based on the iptables rules that it implemented.

I double-checked this on a Fedora 20 VM that I've been fiddling with. When a rule is set in firewall-config, the packet for a new connection must go through the following steps to be accepted.

  1. New packet hits INPUT chain. Packets in existing connections are automatically accepted.
  2. All prospective connections from the outside are sent to the either the INPUT_ZONES_SOURCE chain or INPUT_ZONES chain, based on whether they were picked out based on source IP or the interface the packet came in on. The logic within each is pretty much the same, other than the IP/interface note. I'll be focusing on INPUT_ZONES_SOURCE for my example.
  3. I added my Minecraft rule to the 'home' zone, so I had added an entry in home->sources stating that packets coming from the network address of 10.20.30.0/24 were coming from home. In INPUT_ZONES_SOURCE, there was a rule that would send all packets coming from that IP range to the IN_home chain.
  4. In the IN_home chain I had three chains dedicated to specific tasks: IN_home_log, IN_home_deny (this was empty, as I hadn't set anything), and IN_home_allow.
  5. IN_home_allow held all of the allowed services for the 'home' zone, including the 25565 rule that I had just put in. Though I didn't start up a Minecraft server or bind anything else to TCP/25565, I could see that some other default rules did record that packets were being accepted, so traffic was being evaluated against this rule.
  6. Any rule that does not get accepted will eventually splatter against the last rule of the INPUT chain. The final rule will reject any packet that is still on the chain.

To get to the point of my explanation, could I confirm that you've set an input interface or a IP address/range for the zone that you're allowing the port in? You've placed a rule to allow the port in a given zone, but it sounds as though the packet doesn't have a way to reach that rule and be accepted.

You can list a table using iptables -nvL. Firewalld sets up a lot of chains, so if you want to take a look at one in particular, add the chain name as an argument: iptables -nvL <chain-name>. If you can see numbers greater than zero in the lefthand columns, this means that packets have reached and triggered the rule. (The action the rule takes is in the third column).

To force your firewall to accept everything, and to see if something along the line is causing you grief, you could stop the firewalld service altogether temporarily.

systemctl stop firewalld

You can alternately flush the tables with iptables -F, though I'm not sure when/if firewalld will repopulate the chains on their own without a rule change to prompt it to do so.

Hopefully this will solve your issue. But if you want/need to go to a custom iptables layout by having the firewall load its rules out of /etc/sysconfig/iptables, you will need to install and enable the service, as well as disable firewalld.

  1. Install iptables service: yum install iptables-services
  2. Stop Firewalld: systemctl stop firewalld
  3. Disable Firewalld: systemctl disable firewalld
  4. Start the iptables service (If you don't have an /etc/sysconfig/iptables at this point, this won't do anything): systemctl start iptables
  5. Enable the iptables service: systemctl enable iptables
Related Topic