### Install TCPShield Plugin for BungeeCord Source: https://docs.tcpshield.com/panel/panel-configuration For BungeeCord servers, only the Real IP plugin needs to be installed on your BungeeCord instances to ensure correct player IP addresses are forwarded. ```Java ## Note: If you are running a BungeeCord server, you only need the Real IP plugin on your BungeeCord instances. ``` -------------------------------- ### Check DNS Propagation with whatsmydns.net Source: https://docs.tcpshield.com/troubleshooting/setup-checklist This section guides users on how to verify if their DNS records have propagated correctly across the internet. It recommends using the 'whatsmydns.net' tool for this purpose, which is crucial for ensuring that domain name resolutions are functioning as expected after configuration changes. ```URL https://www.whatsmydns.net/ ``` -------------------------------- ### Geyser Server Listening Output Source: https://docs.tcpshield.com/vxlan/sentry-tunnel-for-bedrock-geyser-pocketmine This is an example output of the `netstat` command, showing that the Java process is listening on the specified IP and port for Geyser. ```bash root@admin:~# netstat -plunt | grep 104.234.6.128 udp 0 0 104.234.6.128:19132 0.0.0.0:* 1546258/java udp 0 0 104.234.6.128:19132 0.0.0.0:* 1546258/java ``` -------------------------------- ### Check DNS Propagation with whatsmydns.net Source: https://docs.tcpshield.com/troubleshooting This section guides users on how to verify if their DNS records have propagated correctly across the internet. It recommends using the 'whatsmydns.net' tool for this purpose, which is crucial for ensuring that domain name resolutions are functioning as expected after configuration changes. ```URL https://www.whatsmydns.net/ ``` -------------------------------- ### Configure VXLAN Tunnel with TCPShield Source: https://docs.tcpshield.com/vxlan/sentry-tunnel-general-setup This script sets up a VXLAN tunnel for TCPShield, configuring routing tables, interfaces, IP addresses, and firewall rules. It ensures traffic is correctly routed through the tunnel and isolated from the public internet. ```bash grep -q tunnel_table /etc/iproute2/rt_tables || echo "200 tunnel_table" >> /etc/iproute2/rt_tables; ip rule | grep -q "tunnel_table" || ip rule add fwmark 9 table 200 ip link add vxlan_214 type vxlan id 214 remote 198.178.119.30 dstport 33154; ip link set dev vxlan_214 address 12:cc:6c:3d:95:b6; ip neigh add 172.18.152.2 lladdr 12:dd:6c:3d:95:b6 dev vxlan_214 nud permanent; ip link set dev vxlan_214 mtu 1450; ip addr add 172.18.152.3/24 dev vxlan_214; ip link set vxlan_214 up ip route add default via 172.18.152.2 dev vxlan_214 table 200 sysctl -w net.ipv4.conf.vxlan_214.rp_filter=0 ip addr add dev lo 104.234.6.152/32 iptables -t mangle -I OUTPUT -s 104.234.6.152/32 -j MARK --set-xmark 0x9 iptables -t mangle -A POSTROUTING -s 104.234.6.152/32 -j MARK --set-mark 0 ``` -------------------------------- ### Configure Proxy Protocol for Backend Servers Source: https://docs.tcpshield.com/panel/panel-configuration Enable 'proxy-protocol' in your backend server's configuration on the TCPShield Web panel to work with Proxy Protocol forwarding. This is an alternative to installing the TCPShield plugin. ```Text Enable `proxy-protocol` in your backend set on the TCPShield Web panel. ``` -------------------------------- ### Verify Sentry Tunnel Creation Source: https://docs.tcpshield.com/vxlan/sentry-tunnel-general-setup This command verifies if the Sentry Tunnel has been successfully created and is active. It displays detailed statistics about the network interface, including received and transmitted data, errors, and dropped packets. ```bash ip -s link show vxlan_214 ``` -------------------------------- ### Create SRV Record for Root Domain Login Source: https://docs.tcpshield.com/panel/dns-setup This snippet demonstrates the configuration for an SRV record that allows players to connect to your Minecraft server using the root domain. It ensures that requests to the root domain are redirected to the specified subdomain (e.g., tcpshield.examplepvp.com), which is protected by TCPShield. The SRV port must be set to 25565. ```DNS Service: _minecraft Proto: TCP Name: @ (or your root domain) Port: 25565 Target: tcpshield.examplepvp.com ``` -------------------------------- ### Configure rc.local for VXLAN Auto-Start Source: https://docs.tcpshield.com/vxlan/common-issues-and-debugging Sets up the `/etc/rc.local` script to automatically execute the VXLAN setup script upon server reboot. This ensures the tunnel is re-established after a restart. ```bash sudo nano /etc/rc.local ``` ```bash #!/bin/bash # rc.local - VXLAN auto setup at boot sleep 5 echo "VXLAN script executed" exit 0 ``` ```bash sudo chmod +x /etc/rc.local ``` -------------------------------- ### Install netcat on Debian/Ubuntu Source: https://docs.tcpshield.com/troubleshooting/disconnected-on-login Installs the netcat utility on Debian or Ubuntu-based Linux distributions using the apt-get package manager. ```bash apt-get install netcat -y ``` -------------------------------- ### PocketMine MP Server Properties Configuration Source: https://docs.tcpshield.com/vxlan/sentry-tunnel-for-bedrock-geyser-pocketmine This snippet shows an example of the `server.properties` file for PocketMine MP, highlighting the `server-ip` setting that needs to be updated to the public IP of the VXLAN tunnel. ```properties #Properties Config file #Tue Jul 8 11:04:48 UTC 2025 language=eng motd=TCPShield Test server-port=19132 server-ip=104.234.6.128 server-portv6=19133 gamemode=SURVIVAL ... ``` -------------------------------- ### TCPShield Geyser IP Whitelist Source: https://docs.tcpshield.com/premium-features/geyser This snippet shows the IP address ranges to be added to the TCPShield plugin's IP whitelist file (`geyser.list`) to authorize incoming Geyser connections. ```text 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 ``` -------------------------------- ### Configure Proxy Protocol for Bedrock (Geyser) Source: https://docs.tcpshield.com/panel/panel-configuration For eligible TCPShield Bedrock setups, configure Geyser by setting 'enable-proxy-protocol' and 'use-proxy-protocol' to true in the Bedrock and Remote sections respectively to enable Proxy Protocol. ```YAML enable-proxy-protocol: true use-proxy-protocol: true ``` -------------------------------- ### Restart Pterodactyl and Docker Services Source: https://docs.tcpshield.com/vxlan/common-issues-and-debugging Commands to restart the Wings daemon, stop all running Docker containers, remove the Pterodactyl Docker network, and then start the Wings daemon again. This is necessary after changing Pterodactyl's network configuration. ```shell systemctl stop wings docker stop $(docker ps -q) docker network rm pterodactyl_nw systemctl start wings ``` -------------------------------- ### Setup TCPShield Sentry Tunnel (Bash) Source: https://docs.tcpshield.com/vxlan/sentry-tunnel-for-rathena-ragnarok This script configures the network for a TCPShield Sentry Tunnel. It sets up routing tables, creates a VXLAN interface, assigns an IP address, and configures iptables for traffic marking. ```bash grep -q tunnel_table /etc/iproute2/rt_tables || echo "200 tunnel_table" >> /etc/iproute2/rt_tables; ip rule | grep -q "tunnel_table" || ip rule add fwmark 9 table 200 ip link add vxlan_47 type vxlan id 47 remote 198.178.119.30 dstport 34251; ip link set dev vxlan_47 address 12:cc:cb:ab:1f:e8; ip neigh add 172.18.128.2 lladdr 12:dd:cb:ab:1f:e8 dev vxlan_47 nud permanent; ip link set dev vxlan_47 mtu 1450; ip addr add 172.18.128.3/24 dev vxlan_47; ip link set vxlan_47 up ip route add default via 172.18.128.2 dev vxlan_47 table 200 ip addr add dev lo 104.234.6.128/32 iptables -t mangle -I OUTPUT -s 104.234.6.128/32 -j MARK --set-xmark 0x9 iptables -t mangle -A POSTROUTING -s 104.234.6.128/32 -j MARK --set-mark 0 ``` -------------------------------- ### Check IP Route for VXLAN Interface Source: https://docs.tcpshield.com/vxlan/common-issues-and-debugging This snippet demonstrates how to use the `ip route` command to inspect routing table entries. It shows an example output where the private IP address of the VXLAN tunnel is visible, confirming its proper creation. ```bash root@admin:~# ip route ... 172.18.128.0/24 dev vxlan_47 proto kernel scope link src 172.18.128.13 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.89 ... ``` -------------------------------- ### Install netcat on CentOS/Fedora Source: https://docs.tcpshield.com/troubleshooting/disconnected-on-login Installs the netcat utility on CentOS or Fedora-based Linux distributions using the yum package manager. ```bash yum install netcat -y ``` -------------------------------- ### Add CNAME Record for TCPShield Source: https://docs.tcpshield.com/panel/dns-setup This snippet demonstrates how to add a CNAME record in a DNS manager, such as Cloudflare, to point a subdomain to your TCPShield protected CNAME. This is a crucial step for directing traffic to your server through TCPShield. ```text Type: CNAME Name: mc (or your desired subdomain) Target: your-protected-cname.tcpshield.io (replace with your actual CNAME) TTL: Auto (or your preferred setting) ``` -------------------------------- ### Successful netcat connection example Source: https://docs.tcpshield.com/troubleshooting/disconnected-on-login Example output from netcat indicating a successful connection to a server on IP 51.161.99.10 and port 25565, showing the port is open. ```bash $ nc -v 51.161.99.10 25565 -w 3 ip10.ip-51-161-99.net [51.161.99.10] 25565 (?) open ``` -------------------------------- ### Install MTR on Debian/Ubuntu Source: https://docs.tcpshield.com/troubleshooting/high-latency-and-general-lag Installs the 'mtr' (My Traceroute) utility on Debian or Ubuntu-based systems using the apt-get package manager. This tool is essential for diagnosing network latency and packet loss. ```bash apt-get install mtr -y ``` -------------------------------- ### Example Traceroute Output Source: https://docs.tcpshield.com/troubleshooting/how-to-read-a-traceroute This snippet displays a typical traceroute output to tcpshield.net, showing the path packets take and the latency at each hop. It's used to identify potential network bottlenecks. ```text traceroute to tcpshield.net (158.69.40.209), 64 hops max, 52 byte packets 1 10.13.95.1 (10.13.95.1) 302.809 ms 10.786 ms 182.727 ms 2 * * * 3 10.16.122.1 (10.16.122.1) 198.191 ms 33.049 ms 173.817 ms 4 10.16.122.4 (10.16.122.4) 1.832 ms 1.833 ms 1.752 ms 5 10.16.121.1 (10.16.121.1) 2.043 ms 1.957 ms 2.878 ms 6 10.59.226.21 (10.59.226.21) 1.965 ms 1.988 ms 1.919 ms 7 h84.gpvpn.redacted.com (x.x.x.x) 3.016 ms 2.810 ms 3.780 ms 8 h66-244-233-17.bigpipeinc.com (66.244.233.17) 6.295 ms 3.205 ms 3.110 ms 9 * * * 10 rc3so-be31-1.cg.shawcable.net (24.244.0.17) 4.217 ms 3.546 ms 3.533 ms 11 rc4ec-be13.il.shawcable.net (66.163.65.18) 33.704 ms 32.591 ms 37.759 ms 12 chi-5-a9.il.us (178.32.135.200) 32.540 ms 36.926 ms 34.108 ms 13 * * * 14 be7.bhs-vac1-a75.qc.ca (192.99.146.147) 416.777 ms 509.795 ms 432.394 ms 15 * * * 16 * * * ``` -------------------------------- ### TCPShield Tunnel Creation - Endpoint Configuration Source: https://docs.tcpshield.com/vxlan/sentry-tunnel-general-setup This snippet details the 'Endpoint' field during TCPShield tunnel creation. It specifies that the endpoint should be the internal IP address of the backend server and is port-agnostic, allowing multiple services behind a single tunnel. ```text Endpoint : The internal IP address of your backend server (e.g., your VPS or physical machine). This is where the VXLAN tunnel will forward traffic. Since VXLAN tunnel doesn't care which port your service is running on (port-agnostic), the Endpoint should only contains your backend IPv4. Hence you can have multiple services / gameserves being protected behind a single Tunnel instance, which is very useful for scalability. ``` -------------------------------- ### Install MTR on CentOS/Fedora Source: https://docs.tcpshield.com/troubleshooting/high-latency-and-general-lag Installs the 'mtr' (My Traceroute) utility on CentOS or Fedora-based systems using the yum package manager. This tool is crucial for network diagnostics. ```bash yum install mtr -y ``` -------------------------------- ### Configure iptables and ipset for Firewall Source: https://docs.tcpshield.com/premium-features/geyser This snippet sets up firewall rules using `ipset` to manage a list of IP addresses and `iptables` to filter UDP traffic. It first clears and creates an ipset named 'tcpshield', then populates it with IPs from a provided URL. Finally, it configures `iptables` to accept UDP traffic on port 19132 from IPs in the 'tcpshield' set and drop all other UDP traffic on the same port. ```bash ipset -F tcpshield ipset -X tcpshield ipset -N tcpshield nethash for IP in $(curl -q https://tcpshield.com/v4/); do ipset -A tcpshield $IP done iptables -t raw -F iptables -t raw -A PREROUTING -m set --match-set tcpshield src -p udp --dport 19132 -j ACCEPT iptables -t raw -A PREROUTING -p udp --dport 19132 -j DROP ``` -------------------------------- ### TCPShield Tunnel Creation - Port Assignment Source: https://docs.tcpshield.com/vxlan/sentry-tunnel-general-setup This snippet explains the port assignment during TCPShield tunnel creation. It clarifies that a port is automatically assigned for VXLAN tunnel communication with the backend and is distinct from the service's actual port. ```text Port : A port will be automatically assigned from the range 32768–60999. This is the port our VXLAN tunnel will use to communicate with your backend. No need to change this unless you have specific routing or firewall requirements. This assigned port is **NOT** your service port (e.g., **6900** for Ragnarok or **25565** for Minecraft). Your application will continue to listen on its usual port. The VXLAN tunnel just forwards traffic to that original port via the backend IP. ``` -------------------------------- ### Verify iptables Configuration Source: https://docs.tcpshield.com/vxlan/sentry-tunnel-for-bedrock-geyser-pocketmine This command displays the current iptables rules saved on the system. It allows administrators to verify that the correct rules for port forwarding and traffic management have been implemented. ```bash iptables-save ``` -------------------------------- ### Linux VXLAN Tunnel Setup Script Source: https://docs.tcpshield.com/vxlan/sentry-tunnel-for-fivem-gta-online This script configures VXLAN networking for a tunnel, setting up routing rules, network interfaces, and iptables for traffic forwarding. It's designed for Linux environments to enable VXLAN communication. ```bash grep -q tunnel_table /etc/iproute2/rt_tables || echo "200 tunnel_table" >> /etc/iproute2/rt_tables; ip rule | grep -q "tunnel_table" || ip rule add fwmark 9 table 200 ip link add vxlan_47 type vxlan id 47 remote 198.178.119.30 dstport 34251; ip link set dev vxlan_47 address 12:cc:cb:ab:1f:e8; ip neigh add 172.18.128.2 lladdr 12:dd:cb:ab:1f:e8 dev vxlan_47 nud permanent; ip link set dev vxlan_47 mtu 1450; ip addr add 172.18.128.3/24 dev vxlan_47; ip link set vxlan_47 up ip route add default via 172.18.128.2 dev vxlan_47 table 200 ip addr add dev lo 104.234.6.128/32 iptables -t mangle -I OUTPUT -s 104.234.6.128/32 -j MARK --set-xmark 0x9 iptables -t mangle -A POSTROUTING -s 104.234.6.128/32 -j MARK --set-mark 0 ``` -------------------------------- ### Example MTR Output (Problematic) Source: https://docs.tcpshield.com/troubleshooting/high-latency-and-general-lag An example of a problematic 'mtr' output indicating significant packet loss (85.3%) on a specific hop (hop 4) between networks. This suggests a network issue that may require contacting a hosting provider. ```text Packets Pings Host Loss% Snt Last Avg Best Wrst StDev 1. unassigned.psychz.net 0.0% 25 1.3 1.1 0.9 1.4 0.0 2. 10.22.23.1 0.0% 25 0.4 0.8 0.2 6.0 1.0 3. xe-2-0-8.r20.sydnau02.au.bb.gin.ntt.net 0.0% 25 0.5 12.1 0.4 104.7 22.4 4. ae-8.r22.lsanca07.us.bb.gin.ntt.net 85.3% 25 147.1 452.6 146.8 1623.3 262.9 5. ae-1.r00.lsanca07.us.bb.gin.ntt.net 0.0% 25 149.0 151.5 147.2 156.2 2.7 6. be3025.ccr41.lax04.atlas.cogentco.com 0.0% 24 148.5 151.8 146.3 180.7 6.7 7. be3360.ccr42.lax01.atlas.cogentco.com 0.0% 24 150.3 150.9 146.4 156.6 3.0 8. be3177.ccr22.sjc01.atlas.cogentco.com 0.0% 24 164.6 161.2 157.1 165.5 2.6 9. be3144.ccr41.sjc03.atlas.cogentco.com 0.0% 24 163.9 161.4 156.4 171.1 3.3 10. sjo-sv5-bb1-a9.ca.us 0.0% 24 163.5 161.3 156.7 166.1 2.9 11. be100-1368.pao-sv8-bb1-a9.ca.us 0.0% 24 157.2 161.3 157.2 166.7 2.5 12. chi-1-a9.il.us 0.0% 24 223.5 223.7 222.2 226.4 1.0 13. be100-1320.bhs-g1-nc5.qc.ca 0.0% 24 241.3 258.9 240.0 329.6 32.7 14. ??? ``` -------------------------------- ### List Networks using cURL Source: https://docs.tcpshield.com/miscellaneous This example demonstrates how to list all networks associated with your TCPShield account using a cURL command. It requires your API key to be included in the request header. ```bash curl -H 'X-API-Key: YOUR_API_KEY' https://api.tcpshield.com/networks ``` -------------------------------- ### Configure Server for Transfer Packets (Java) Source: https://docs.tcpshield.com/miscellaneous/transfer-packets This snippet shows how to enable transfer packet functionality in a Minecraft server's server.properties file. Ensure this setting is true to allow incoming transfers. ```properties accept-transfers=true ``` -------------------------------- ### Verify PocketMine MP Server Listening Source: https://docs.tcpshield.com/vxlan/sentry-tunnel-for-bedrock-geyser-pocketmine This command verifies that the PocketMine MP server is listening on the correct public IP address and port after configuration changes. ```bash root@admin:~# netstat -plunt | grep 104.234.6.128 udp 0 0 104.234.6.128:19132 0.0.0.0:* 1095804/PocketMine- ``` -------------------------------- ### Whitelist VXLAN Interface with iptables Source: https://docs.tcpshield.com/vxlan/common-issues-and-debugging This snippet demonstrates how to use `iptables` to explicitly whitelist a VXLAN interface for both incoming and outgoing traffic. This is an optional step for specific network configurations. ```bash iptables -I FORWARD -i vxlan_ -j ACCEPT iptables -I FORWARD -o vxlan_ -j ACCEPT ``` -------------------------------- ### List Networks using cURL Source: https://docs.tcpshield.com/miscellaneous/tcpshield-api This example demonstrates how to list all networks associated with your TCPShield account using a cURL command. It requires your API key to be included in the request header. ```bash curl -H 'X-API-Key: YOUR_API_KEY' https://api.tcpshield.com/networks ``` -------------------------------- ### Verify UFW Status Source: https://docs.tcpshield.com/vxlan/sentry-tunnel-for-bedrock-geyser-pocketmine This command displays the current status of the Uncomplicated Firewall (UFW), including active rules and profiles. It's used to confirm that the port-forwarding rules have been applied correctly. ```bash ufw status ``` -------------------------------- ### Whitelist Ports with UFW (Shell) Source: https://docs.tcpshield.com/vxlan/sentry-tunnel-for-rathena-ragnarok Commands to allow incoming UDP and TCP traffic on a specified port using UFW (Uncomplicated Firewall). It also shows how to verify the firewall status. ```shell ufw allow /udp ufw allow /tcp ufw status ``` -------------------------------- ### Tcpdump Output Before Disabling rp_filter Source: https://docs.tcpshield.com/vxlan/common-issues-and-debugging Example output from `tcpdump` showing only ingress UDP traffic on port 19132 for a VXLAN interface, indicating that outgoing replies are being silently dropped by the system. ```text root@admin:~# sudo tcpdump -nni any udp port 19132 tcpdump: data link type LINUX_SLL2 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 15:15:30.707370 vxlan_47 In IP 14.231.20.10.62338 > 104.234.6.137.19132: UDP, length 33 15:15:43.571573 vxlan_47 In IP 14.231.20.10.63192 > 104.234.6.137.19132: UDP, length 1172 15:15:44.084121 vxlan_47 In IP 14.231.20.10.63192 > 104.234.6.137.19132: UDP, length 1172 15:15:44.598862 vxlan_47 In IP 14.231.20.10.63192 > 104.234.6.137.19132: UDP, length 1172 ``` -------------------------------- ### Allow UDP and TCP Connections with UFW Source: https://docs.tcpshield.com/vxlan/common-issues-and-debugging This snippet shows the `ufw` commands to allow incoming UDP and TCP traffic to a specified port. These commands are used to configure the Uncomplicated Firewall to accept necessary connections. ```bash ufw allow /udp ufw allow /tcp ``` -------------------------------- ### Tcpdump Output After Disabling rp_filter Source: https://docs.tcpshield.com/vxlan/common-issues-and-debugging Example output from `tcpdump` after disabling Reverse Path Filtering, showing both ingress and egress UDP traffic on port 19132 for the VXLAN interface, confirming successful bi-directional communication. ```text root@admin:~# sudo tcpdump -nni any udp port 19132 tcpdump: data link type LINUX_SLL2 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 20:02:32.691465 vxlan_47 In IP 14.231.20.10.55407 > 104.234.6.137.19132: UDP, length 1164 20:02:32.691550 vxlan_47 In IP 14.231.20.10.55407 > 104.234.6.137.19132: UDP, length 1164 20:02:32.691665 vxlan_47 In IP 14.231.20.10.55407 > 104.234.6.137.19132: UDP, length 1112 20:02:32.696211 vxlan_47 Out IP 104.234.6.137.19132 > 14.231.20.10.55407: UDP, length 43 20:02:32.726227 vxlan_47 Out IP 104.234.6.137.19132 > 14.231.20.10.55407: UDP, length 550 ``` -------------------------------- ### TCPShield IP Whitelist Format Source: https://docs.tcpshield.com/panel/tcpshield-plugin This snippet demonstrates the format for creating an IP whitelist file for TCPShield. It shows how to list IP addresses or ranges using CIDR notation, with each entry on a new line. ```text 128.24.55.1/32 54.44.33.22/27 ``` -------------------------------- ### Verify VXLAN Tunnel with Ping Source: https://docs.tcpshield.com/vxlan/common-issues-and-debugging This snippet demonstrates how to use the `ping` command to verify that a VXLAN tunnel has been established by pinging the private IP address of the tunnel. It shows sample output indicating successful packet transmission and reception. ```bash root@admin:~# ping 172.18.128.13 PING 172.18.128.13 (172.18.128.13) 56(84) bytes of data. 64 bytes from 172.18.128.13: icmp_seq=1 ttl=64 time=49.4 ms 64 bytes from 172.18.128.13: icmp_seq=2 ttl=64 time=49.4 ms 64 bytes from 172.18.128.13: icmp_seq=3 ttl=64 time=49.7 ms 64 bytes from 172.18.128.13: icmp_seq=4 ttl=64 time=49.4 ms ^C --- 172.18.128.13 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 49.362/49.458/49.722/0.152 ms ``` -------------------------------- ### Configure Proxy Protocol for Velocity Source: https://docs.tcpshield.com/panel/panel-configuration If your server uses plugins that authenticate players, you can enable Proxy Protocol in your Velocity proxy's configuration to properly forward player IP addresses. Ensure the TCPShield plugin is not installed when using this method. ```YAML enable-proxy-protocol: true ``` -------------------------------- ### Allow UDP and TCP Connections with iptables Source: https://docs.tcpshield.com/vxlan/common-issues-and-debugging This snippet provides `iptables` commands to allow incoming UDP and TCP traffic to a specified port, and outgoing traffic from that port. These rules are essential for opening backend ports for external connections. ```bash iptables -I INPUT -p udp --dport -j ACCEPT iptables -I INPUT -p tcp --dport -j ACCEPT iptables -I OUTPUT -p tcp --sport -j ACCEPT iptables -I OUTPUT -p udp --sport -j ACCEPT ``` -------------------------------- ### Verify VXLAN Tunnel IP-to-MAC Resolution with Arping Source: https://docs.tcpshield.com/vxlan/common-issues-and-debugging This snippet shows how to use the `arping` command with the VXLAN interface to confirm IP-to-MAC address resolution, which is crucial for virtual link integrity. It includes sample output with the resolved MAC address. ```bash root@admin:~# arping -I vxlan_47 172.18.128.13 ARPING 172.18.128.13 42 bytes from 02:ab:cd:34:56:78 (172.18.128.13): index=0 time=44.839 msec 42 bytes from 02:ab:cd:34:56:78 (172.18.128.13): index=1 time=44.860 msec 42 bytes from 02:ab:cd:34:56:78 (172.18.128.13): index=2 time=44.852 msec 42 bytes from 02:ab:cd:34:56:78 (172.18.128.13): index=3 time=44.826 msec 42 bytes from 02:ab:cd:34:56:78 (172.18.128.13): index=4 time=44.827 msec 42 bytes from 02:ab:cd:34:56:78 (172.18.128.13): index=5 time=45.180 msec 42 bytes from 02:ab:cd:34:56:78 (172.18.128.13): index=6 time=45.047 msec ^C --- 172.18.128.13 statistics --- 7 packets transmitted, 7 packets received, 0% unanswered (0 extra) rtt min/avg/max/std-dev = 44.826/44.919/45.180/0.129 ms ``` -------------------------------- ### Whitelist VXLAN Interface with UFW Source: https://docs.tcpshield.com/vxlan/common-issues-and-debugging This snippet shows the `ufw` commands to allow traffic routing through a specified VXLAN interface, both inbound and outbound. This is an optional configuration for enhancing VXLAN traffic control. ```bash sudo ufw route allow in on vxlan_ to any sudo ufw route allow out on vxlan_ to any ``` -------------------------------- ### Configure Layer 7 Mitigation Settings Source: https://docs.tcpshield.com/premium-features/premium-panel-features Allows configuration of Layer 7 settings to enhance security and control access. Includes setting thresholds for connections per second, ban duration, validation whitelist duration, and custom denial messages. ```text Connections Per Second Threshold: Control the maximum number of connections per second your server should receive before TCPShield's L7 mitigation kicks in. Ban Seconds: Specifies the duration for which an IP address will be banned across all proxies if it fails a challenge. Allow Seconds: Sets the duration in seconds that valid connections should be accepted after being validated during Layer 7 attacks. Mitigation message: Customize the response message displayed after a user's connection is denied. ``` -------------------------------- ### Verify VXLAN Tunnel Creation with ip command Source: https://docs.tcpshield.com/vxlan/sentry-tunnel-for-bedrock-geyser-pocketmine This command verifies the successful creation and status of a VXLAN tunnel. It displays statistics about received and transmitted data, errors, and dropped packets for the specified tunnel interface. ```bash ip -s link show vxlan_ ```