Arch Linux

huey_freeman

Member

Registered: 2025-09-22

Posts: 11

Port still appears closed after forwarding and iptables configuration

I'm inexperienced with networking, but I'm trying to set up a Minecraft server on my own IP. When I start the server up, I can connect to it just fine. Here are the results of

sudo nmap -sS -p- localhost

while the server is up:

Host is up (0.0000090s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 65524 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
53/tcp    open  domain
953/tcp   open  rndc
5355/tcp  open  llmnr
6463/tcp  open  unknown
25565/tcp open  minecraft
27036/tcp open  unknown
27060/tcp open  unknown
35701/tcp open  unknown
46499/tcp open  unknown
57343/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1.95 seconds

The port is shown to be open, and I have also added a rule into /etc/iptables/iptables.rules that should also open it. Here are the contents of that file:

# Generated by iptables-save v1.8.11 on Sat Nov 22 20:04:52 2025
*filter
:INPUT ACCEPT [2735240:2225336691]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [766759:132003682]
-A INPUT -p tcp -i enp11s0 -m tcp --dport 25565 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT 
COMMIT
# Completed on Sat Nov 22 20:04:52 2025

I also have a rules file called simple_firewall.rules. I wasn't sure if iptables used one or the other or both, so I added the rule to both, here's that one too:

*filter
-A INPUT -p tcp -i enp11s0 --dport 25565 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT 
-A INPUT -p -i enp11s0 icmp -j ACCEPT 
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -j REJECT --reject-with tcp-reset 
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -j REJECT --reject-with icmp-proto-unreachable 
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

However, after all of this, my friends still can't connect to the server and the online port checker still shows that port 25565 is closed. I have added a port forwarding rule on my modem (I have not yet restarted it, but I don't think I should have to) with the external and internal ports set to 25565 for my IP. A screenshot:

I have ensured iptables.service is running and everything seems okay on my end, but the open port still remains invisible everywhere else, I guess. Feel free to request additional information I haven't provided.

Whoracle

Member

Registered: 2010-11-02

Posts: 191

Re: Port still appears closed after forwarding and iptables configuration

Your nmap test connects to localhost - so 127.0.0.1. Is your MC server actually listening on the LAN IP 192.168.x.y? Check with

ss -tlpen | grep 25565 

. If yes, do you have another machine from which you can do e.g.

telnet 192.168.x.y 25565

to work through this systematically?

huey_freeman

Member

Registered: 2025-09-22

Posts: 11

Re: Port still appears closed after forwarding and iptables configuration

I tried this command on my laptop (running void linux) and received:

Trying 192.168.0.135...
telnet: Unable to connect to remote host: No route to host

Whoracle

Member

Registered: 2010-11-02

Posts: 191

Re: Port still appears closed after forwarding and iptables configuration

Again, please post the output of

ss -tlpen | grep 25565

on the MC server.

huey_freeman

Member

Registered: 2025-09-22

Posts: 11

Re: Port still appears closed after forwarding and iptables configuration

Sorry about that, this is what that comes up with:

 LISTEN 0      4096                                           *:25565            *:*    users:(("java",pid=129314,fd=72))     uid:1000 ino:6725737 sk:500b cgroup:/user.slice/user-1000.slice/user@1000.service/kitty-5192-0.scope v6only:0 <->        

huey_freeman

Member

Registered: 2025-09-22

Posts: 11

Re: Port still appears closed after forwarding and iptables configuration

It's been a couple days, would anyone mind looking over this again, or maybe sending me to a wiki page that could help me out?

-thc

Member

Registered: 2017-03-15

Posts: 1,052

Re: Port still appears closed after forwarding and iptables configuration

Make sure that your internet provider supports a fully functional - reachable from the internet - IPv4 address for your connection.

Whoracle

Member

Registered: 2010-11-02

Posts: 191

Re: Port still appears closed after forwarding and iptables configuration

Sorry, this dropped off my radar. So, your MC host does seem to open that port on the LAN address - Just to make sure: 192.168.0.135 IS your LAN address, right? From when you tested with telnet from your void notebook? If so, to see if it is the fault of your firewall rules, what happens if you temporarily disable the local firewall on the MC server machine and rerun the telnet test?

huey_freeman

Member

Registered: 2025-09-22

Posts: 11

Re: Port still appears closed after forwarding and iptables configuration

Yes, that is my address, I can post the results of 'ip addr' if need be. Per your instructions, I stopped and disabled iptables.service, then ran the server with my startup script. I made sure to check both were connected to the same network with 'iw dev' which showed the same SSID on both devices, but when I ran 'telnet 192.168.0.135 25565' the output was the same as on my first reply, no change.

Also, my ISP provides a valid IPv4 address, and it's the same for all the devices connected to the network.

-thc

Member

Registered: 2017-03-15

Posts: 1,052

Re: Port still appears closed after forwarding and iptables configuration

So you're telling us that both PCs are connected to the same WiFi/SSID and the "void" notebook has no route to the MC host?

Check the output of

ip a

on both PCs in regard to their WiFi adapters (wl*) and the Ethernet adapter (en*) on the Minecraft host - are those three adapters on different IPv4 subnets?

Whoracle

Member

Registered: 2010-11-02

Posts: 191

Re: Port still appears closed after forwarding and iptables configuration

Also, do you have "client isolation" or something like that active in your WiFi AP? Can you access ANY other port on the MC server from the notebook, like SSH?

huey_freeman

Member

Registered: 2025-09-22

Posts: 11

Re: Port still appears closed after forwarding and iptables configuration

In response to the second question, I tried 'telnet 192.168.0.135 22' on the laptop and received:

Trying 192.168.0.135...
Connected to 192.168.0.135.
Escape character is '^]'.
SSH-2.0-OpenSSH_10.2

So yes, I can access it using other ports. Also, here is the output of 'ip a' on both devices. On my laptop:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo 
       valid_lft forever preferred_lft forever
2: enp1s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 9c:b6:54:c3:21:f2 brd ff:ff:ff:ff:ff:ff
4: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether a4:db:30:53:3c:b1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.5.250/22 brd 192.168.7.255 scope global dynamic noprefixroute wlo1
       valid_lft 8279sec preferred_lft 6479sec
    inet6 fda0:f41f:944a:1:a5fe:3400:b4bf:110a/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 2591716sec preferred_lft 604516sec
    inet6 fe80::f0e0:d94d:5b56:758/64 scope link 
       valid_lft forever preferred_lft forever

On my PC:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: enp11s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:68:eb:b9:35:6f brd ff:ff:ff:ff:ff:ff
    altname enx0068ebb9356f
    inet 192.168.0.135/24 brd 192.168.0.255 scope global dynamic noprefixroute enp11s0
       valid_lft 2753sec preferred_lft 2753sec
    inet6 fdea:fb44:c423:51da:9ed7:f37e:e10e:3fbc/64 scope global dynamic noprefixroute
       valid_lft 1741sec preferred_lft 1741sec
    inet6 fe80::3d0c:5452:7584:8c6e/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether c6:62:ca:55:41:1f brd ff:ff:ff:ff:ff:ff permaddr ac:50:de:c0:e5:ed

I'm not sure how them being connected to different adapters affects things; I did try connecting my laptop to the same one as my PC with another ethernet cable, but there was, again, no change.

Whoracle

Member

Registered: 2010-11-02

Posts: 191

Re: Port still appears closed after forwarding and iptables configuration

ok, so that means that basic connectivity is there. Very good. Now, further tests:

On the MC server, try these two commands when the server process is running. If one or both of them fail, try with firewall disabled. This will show us if the MC process is actually listening correctly, not just "claiming" to be.

telnet localhost 25565
telnet 192.168.0.135 25565

If both of these work, we're moving on to the void notebook again. Also, check

iptables -nvL

between the "with firewall" and "without firewall" tests - the 2nd time it should look something like this:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

If there are any lingering rules, you might have not correctly disabled the firewall. We'll tackle that if it becomes an issue.

EDIT: Ah, just saw that your laptop is in another subnet altogether, so there's your wifi AP in the middle, too. Can you test the telnet 192.168.0.135 25565 from your laptop if you connect to the same subnet as the MC server? Just to eliminate each layer methodically.

Last edited by Whoracle (2025-11-27 19:33:37)

huey_freeman

Member

Registered: 2025-09-22

Posts: 11

Re: Port still appears closed after forwarding and iptables configuration

Both 'telnet localhost 25565' and 'telnet 192.168.0.135 25565' succeed on the machine running the server.

Trying ::1...
Connected to localhost.
Escape character is '^]'.

While the firewall was disabled, the output of 'iptables -nvL' was exactly as you described, and when I turned it back on, I got

Chain INPUT (policy ACCEPT 109 packets, 17102 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  enp11s0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25565 ctstate NEW,ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 106 packets, 10664 bytes)
 pkts bytes target     prot opt in     out     source               destination

showing the rule only appears when iptables is active.

I disabled the wlo1 interface on my laptop and made it connect to enp1s0, then tried 'telnet 192.168.0.135 25565' again. It still returned:

Trying 192.168.0.135...
telnet: Unable to connect to remote host: No route to host

Whoracle

Member

Registered: 2010-11-02

Posts: 191

Re: Port still appears closed after forwarding and iptables configuration

OK, what does ip a say on the notebook when you connect via enp1s0? I want to make sure it's configured correctly. Can you still telnet 192.168.0.135 to the MC server from the notebook when connected via enp1s0?

huey_freeman

Member

Registered: 2025-09-22

Posts: 11

Re: Port still appears closed after forwarding and iptables configuration

I get:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host proto kernel_lo 
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 9c:b6:54:c3:21:f2 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.16/24 brd 192.168.0.255 scope global dynamic noprefixroute enp1s0
       valid_lft 2199sec preferred_lft 1749sec
    inet6 fdea:fb44:c423:51da:688f:767e:1ef6:168b/64 scope global dynamic mngtmpaddr noprefixroute 
       valid_lft 1578sec preferred_lft 1578sec
    inet6 fe80::6cca:6d01:50c0:b697/64 scope link 
       valid_lft forever preferred_lft forever
4: wlo1: <BROADCAST,MULTICAST> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether a4:db:30:53:3c:b1 brd ff:ff:ff:ff:ff:ff

I can still connect to the PC running the server with

telnet 192.168.0.135 22

on my laptop with the enp1s0 interface.

Whoracle

Member

Registered: 2010-11-02

Posts: 191

Re: Port still appears closed after forwarding and iptables configuration

Ok, I'm at a loss. You're in the correct subnet, everything seems fine. I'll think about this a bit more, and maybe someone else has an idea in the meantime.

-thc

Member

Registered: 2017-03-15

Posts: 1,052

Re: Port still appears closed after forwarding and iptables configuration

@huey

Are you aware that in connecting to an appliance (router) via WiFi or Ethernet and receiving completely different IPv4 and IPv6 ULA subnets is highly unusual?

What are you connecting to? Is this appliance some kind of firewall? If yes, it could block unknown (MC, bot not SSH) traffic...

huey_freeman

Member

Registered: 2025-09-22

Posts: 11

Re: Port still appears closed after forwarding and iptables configuration

I assumed that different subnets for ethernet and wifi was normal. I should just be connecting to my QuantumFiber router, and I'm not sure if this affects anything but we do have an Eero wifi extender.

Thank you guys for your dilligence in helping me fix this issue.

Whoracle

Member

Registered: 2010-11-02

Posts: 191

Re: Port still appears closed after forwarding and iptables configuration

What are you connecting to? Is this appliance some kind of firewall? If yes, it could block unknown (MC, bot not SSH) traffic...

That was what I was getting at, but there's also no connection to the MC in the same subnet either...

-thc

Member

Registered: 2017-03-15

Posts: 1,052

Re: Port still appears closed after forwarding and iptables configuration

Great. Quantum fiber installs special purpose routers on the walls of their customers, calls them "modems" (despite the fact they're clearly more than that) and lets you combine them with WiFi access points.

So what hardware exactly is installed (beside an eero 6 (?) extender)?

Last edited by -thc (2025-11-28 21:06:07)

huey_freeman

Member

Registered: 2025-09-22

Posts: 11

Re: Port still appears closed after forwarding and iptables configuration

The aforementioned eero 6 and a C5500XK modem.

-thc

Member

Registered: 2017-03-15

Posts: 1,052

Re: Port still appears closed after forwarding and iptables configuration

This router has two Ethernet ports and no built-in WiFi. The eero 6 is a wireless extender with one Ethernet port.

Is this your setup

Fibre -> C5500XK router -> eero 6 via Ethernet (1)
                        -> PC via Ethernet (2)

?

Does your notebook have an Ethernet port?

Last edited by -thc (Yesterday 07:11:01)

huey_freeman

Member

Registered: 2025-09-22

Posts: 11

Re: Port still appears closed after forwarding and iptables configuration

In addition, there is also a Q Fiber W1700K wifi pod and an eero 6 (not an extender) connected. I don't exactly understand how these components interact, but I will send a picture in the hopes of disambiguating (may or may not be useful) There was also a link to configure the W1700K on its back, but when I went to it, I couldn't connect.

Last edited by huey_freeman (Yesterday 21:19:48)

-thc

Member

Registered: 2017-03-15

Posts: 1,052

Re: Port still appears closed after forwarding and iptables configuration

O.K. - this got off the rails pretty quick.

To sum it up - as far as I understand it - you have a bunch of routers/access points/switches/WiFi extenders/PCs connected to one another in a way nobody really understands. Now you want to setup a MC server which needs a clear network path from the internet to the MC instance - which you don't seem to have. In contrast such a jumble of components "works" as long as all clients "just need internet".

So either you get a local expert to simplify and reorder the network components in a way to create that clear path or you dump the idea of a server.