#Setup Geyser so Java clients are forced through another subdomain that being DDOS protected

I now have a working solution which i want to share here for others wanting to protect their linux Minecraft server with Spectrum.

1. Add your DNS to Cloudflare

2. Create 2 subdomains, for the example i will have java.subdomain.com and bedrock.subdomain.com

3. Added java.subdomain.com to spectrum

4. Create an A record for bedrock.subdomain.com to the servers Public IP

5. Create a SVR, it would be something like _minecraft._udp.bedrock.subdomain.com pointing to bedrock.subdomain.com on 19132. Priority 0 and Weight 5

6. Setup your linux firewall to allow allow in port 25565 on TCP for all the cloudflare IPs as people will connect through cloudflare spectrum. Deny everywhere else on 25565. Deny 25565 for subdomain bedrock.subdomain.com and allow all for your bedrock port 19132

This might seem confusing but the idea here is people can connect on Minecraft java client using java.subdomain.com which is pushed though cloudflare spectrum servers. But players cannot be sneaky and connect on java clients through bedrock.subdomain.com on 25565
All connects through bedrock.subdomain.com is allowed on bedrock client as its pushed through geyser on 19132 only.

The trick here is linux looks at rules in order of number, you need to get this right.

I set deny to 25565 on bedrock.subdomain.com as rule 2 and then after that allowed all cloudflare ips. Then after that i denied 25565 to anywhere.

To add all the cloudflare ips to the firewall you can use a script like this

for cfip in $(curl -s https://www.cloudflare.com/ips-v4 https://www.cloudflare.com/ips-v6); do
sudo ufw allow proto tcp from $cfip to any port 25565 comment 'Cloudflare IP';
done

Im sure if you're doing this, you have enough knowledge to work out the firewall rules yourself and test it.

I also had to ping java.subdomain.com in cmd and then find the IP cloudflare was giving it and add it to the cloudlfare IPs as allow in the firewall.

Once i completed all this i found in the java client the server i added under java.subdomain.com was available but the server under bedrock.subdomain.com i added was not.
I could also connect to the server through bedrock without issue on bedrock.subdomain.com. java.subdomain.com wont work on default as geyser uses 19132.

Their isn't much information out there on this so i hope this guide helps you out.

Glad you got it figured out haha, I was about to start diving into my domain knowledge to try to figure this out🤣

It hasn’t totally fixed my situation.
The subdomain I’m using for bedrock through geyser is exposed.
Currently the subdomain is setup with an A and SVR record and the bedrock ports open on the Linux firewall.

Someone can just Whois my subdomain, find the server IP and DDOS it.

I can set the A record to Proxied in Cloudflare but have no idea what to then do in geyser config to connect to the server.

If you set it to proxied in cloudflare, my understanding is that you just won’t be able to connect no matter what you do. It seems there is no true solution for protecting proxying a UDP connection. I did a bunch of research into it for my server as well and I truly couldn’t find a good solution that I trusted. I just made sure I put some good gapping between my server and my home network. Best solutions seem like they’ll have to be on lan side rather than wan from what I could find. I’m eventually gonna get an IPS probably because I’m still pretty exposed. I’m keeping my server with just friends for now.

Yeah that makes sense.
Seems the only other option is to spend $100 a month for TCPShield which is unlimited bandwidth and works with geyser.

Oh ya I guess I could’ve mentioned TCPShield, idk what your financial situation is. I’d have to be rich rich to spend $1200 a year on that 🤣
I’m probably just going to setup some good firewalls on my systems and some intrusion detection software and call it a day. Best thing unless you plan on running some massive server is good firewalls on your home devices. Most routers have pretty decent built in intrusion prevention so unless you really make someone with some skills mad, you shouldn’t worry too much about DDOS.

My biggest concern is people getting on my Minecraft servers that shouldn’t be and causing havoc. I’ve banned 5 random people that have found my server already. I’m gonna be setting up a whitelist soon haha. Highly recommend a whitelist 😅

I setup luckperms and made the default rank have no command access.

I also setup authmereloaded to enforce people setting up a login on the server.

I also use discordSVR for role assignment and proximity chat.
There is an option where you can block server access if they havnt joined your discord and have it auto assign a role from luckperms.
Point of this is you can then lock down the server so no one can join unless they a) setup discord for the server and b) have a role assigned from luckperms.
Worth it to create that security and route players to your discord for info you post there.