IP Forward Issue

[fyxisShazad]

Hi, i used recently this tutorial: https://www.howtogeek.com/440752/protect-your-home-minecraft-server-from-ddos-attacks-with-aws/

But i have 1 very big problem over here and i have no idea how to fix it, everything is working well but what i saw in my minecraft server console was my reverse proxy IP (aws instance) not real player ip. This is very bad for me because i cant ban anyone by his ip address :/

Do you have any ideas how to solve this problem?

Thanks!

[licaon-kter]

See Transparent instructions

[LiannOM]

So i added --transparent parameter:

DAEMON_OPTS="--user sslh --transparent --listen 0.0.0.0:25565 --anyprot your_ip_address:25565 --pidfile /var/run/sslh/sslh.pid and completed Tranparent proxying with IPv4 with iptables

and now i having

Jul 28 16:05:18 something sslh[14304]: connect: Connection timed out
Jul 28 16:05:20 something sslh[14304]: forward to anyprot failed:connect: Connection timed out
Jul 28 16:05:20 something sslh[14304]: connect: Connection timed out

[LiannOM]

Should i use iptables commands on both vps ?

[LiannOM]

im running ubuntu 18.04

[yrutschle]

there are a few things that confuse me in the How-To:

• Why not run the minecraft server directly on the AWS host?
• Why use sslh at all? it's just forwarding traffic, which could be done with netcat, or maybe even simply iptables directly.

The transparent IP things will be a bit more complicated than the existing documentation, which assume the returning traffic naturally comes back from the final server (e.g. the Minecraft server) to the sslh host. Here, sslh would send IP packets to the Minecraft server, which is on another network entirely, with a source IP address that is somewhere else. So, when the Minecraft server replies, the replies will go directly to the source IP. I assume you'd need an iptable rule on the Minecraft server, that forwards all IP traffic from the Minecraft port, to the IP of the sslh host. That sounds like an interesting practical exercise in iptables use, which unfortunately probably exeeds my skills :-)

[LiannOM]

Why not run the minecraft server directly on the AWS host?

• ASW Host is only meant to work like reverse proxy for minecraft server. (protect it from ddos attacks)

Why use sslh at all? it's just forwarding traffic, which could be done with netcat, or maybe even simply iptables directly.

• I dont have idea how to forward traffic like sslh does.

What im trying to get:

AWS SERVER (AntiDDOS, here i have sslh setup) \/ BungeeCord Server (Minecraft)

I just want to simply route all legit traffic that passes AWS Server AntiDDos to go on my bungeecord server, but the problem is when even player join my bungee server thro this proxy (aws server) i dont get his real ip (only ip od aws instance) that could be big problem when it comes to IPBan'ing. That's why i come here. And my question is how to make sslh pass all traffic with users Real IP adress (Transparency) if its possible to be done with iptables or other tools ? i dont have idea about this.

My setup:

Both servers (bungee, proxy) has ubuntu 18.04

I think i have been more clear right now and make you easier understand what effect i expect.

[yrutschle]

sure, it's very clear what you are trying to do.

Like I said, I don't really know how you would go about setting up the transparent proxying you want to do, or even if it is feasible.

Probably the simplest way to do that in your set up is to give up on transparent proxying, and ban the IPs with iptables directly on the AWS server. After all, why bother bringing network load to your minecraft server if it's going to get dropped there?

[fyxisShazad]

That would be good to ban ip in aws server but if i dont setup transparent proxying i cant even know what ip i should ban haha

[fyxisShazad]

If you will have any idea how to make it work let me know please :/

btw are you sure transparent proxying like you wrote on tutorials wont work at all ? i mean this https://github.com/yrutschle/sslh/blob/master/doc/config.md#transparent-proxy-support

[fyxisShazad]

Lol i saw rn that im using 2 of my accounts wt*f haha sorry for that

[yrutschle]

ah, I guess you want to ban "a player", so you know who to ban on the Minecraft server, where you do not have the IP address.

Can you see what port players are connected to? Using the ports, you should be able to find the original IP address in sslh logs on the AWS server.

[fyxisShazad]

Yes exacly but, it would take much time to ban that Player by IP sadly :/

śr., 28 lip 2021, 17:05 użytkownik Yves Rutschle @.***> napisał:

ah, I guess you want to ban "a player", so you know who to ban on the Minecraft server, where you do not have the IP address.

Can you see what port players are connected to? Using the ports, you should be able to find the original IP address in sslh logs on the AWS server.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/yrutschle/sslh/issues/295#issuecomment-888386018, or unsubscribe https://github.com/notifications/unsubscribe-auth/AKTVPVDJQPBTVW54Z4VKD6LT2AMCLANCNFSM5BEIYX2Q .

[yrutschle]

I overhauled the transparent proxy documentation, and currently list this setup as impossible (I have a vague feeling there might be some hacky way to do it, but it would require a iptable wizard to do it I'm afraid).

[endreszabo]

It is definitely doable and you don't even need sslh for that. I'd setup a wireguard tunnel between the two and use the aws server as the 'default gateway' for the network namespace the minecraft server process runs in.

[lucasvperini]

It is definitely doable and you don't even need sslh for that. I'd setup a wireguard tunnel between the two and use the aws server as the 'default gateway' for the network namespace the minecraft server process runs in.

Sorry for reopening this but, can you help me on that?