TekOnline

Changing Minecraft Ports on Docker and Oracle Cloud Infrastructure: A Complete Guide

Hosting a Minecraft server on Docker within Oracle Cloud Infrastructure (OCI) requires configuring ports across multiple layers of your infrastructure. This comprehensive guide will walk you through updating ports in your Docker stack, UFW firewall (if installed), and Oracle’s VCN security lists.

Table of Contents

  1. Understanding the Port Layers
  2. Step 1: Configuring Docker Stack
  3. Step 2: Updating UFW Firewall Rules
  4. Step 3: Configuring Oracle VCN Security Lists
  5. Testing Your Configuration
  6. Troubleshooting

Understanding the Port Layers

When hosting Minecraft on OCI with Docker, traffic flows through three main layers:

  1. Docker Container – The Minecraft server listens on a port inside the container
  2. UFW Firewall – Ubuntu’s firewall that controls traffic at the OS level
  3. Oracle VCN Security List – OCI’s network security rules that control ingress/egress

For your Minecraft server to be accessible, all three layers must allow traffic on your chosen port.

Step 1: Configuring Docker Stack

Docker Compose Configuration

If you’re using Docker Compose (recommended), you’ll need to update your docker-compose.yml file. Here’s an example configuration:

version: '3.8'

services:
  minecraft:
    image: itzg/minecraft-server
    container_name: minecraft-server
    ports:
      - "25565:25565"  # Host:Container format
      # To change port, modify the first number:
      - "25566:25565"  # Example: Host port 25566 → Container port 25565
    environment:
      EULA: "TRUE"
      VERSION: "LATEST"
      TYPE: "VANILLA"
      MEMORY: "2G"
    volumes:
      - ./minecraft-data:/data
    restart: unless-stopped

Changing the Port

To change your Minecraft port:

  1. Stop the current container:docker-compose down # or docker stop minecraft-server
  2. Edit the port mapping in your docker-compose.yml:ports: - "YOUR_NEW_PORT:25565" # Replace YOUR_NEW_PORT with your desired port
  3. Restart the stack:docker-compose up -d

Verifying Docker Port Mapping

Check if the port is correctly mapped:

# List running containers and their port mappings
docker ps

# Inspect the container's network settings
docker inspect minecraft-server | grep -A 10 "Ports"

# Test if the port is listening
sudo netstat -tlnp | grep YOUR_NEW_PORT
# or
sudo ss -tlnp | grep YOUR_NEW_PORT

Direct Docker Run Command

If you’re running Docker directly without Compose:

docker run -d \
  --name minecraft-server \
  -p YOUR_NEW_PORT:25565 \
  -e EULA=TRUE \
  -e VERSION=LATEST \
  itzg/minecraft-server

Step 2: Updating UFW Firewall Rules

UFW (Uncomplicated Firewall) is Ubuntu’s default firewall. If installed, it will block incoming connections unless explicitly allowed.

Check UFW Status

First, verify if UFW is installed and active:

# Check if UFW is installed
which ufw

# Check UFW status
sudo ufw status verbose

If UFW is not installed and you don’t need it, you can skip this section. However, for security, it’s recommended to use UFW.

Adding Firewall Rules

  1. Allow the new Minecraft port:# Allow TCP traffic on your new port sudo ufw allow YOUR_NEW_PORT/tcp # Example: Allow port 25566 sudo ufw allow 25566/tcp
  2. Remove the old port rule (if changing ports):# Remove the old port rule sudo ufw delete allow OLD_PORT/tcp # Example: Remove port 25565 sudo ufw delete allow 25565/tcp
  3. Enable UFW (if not already enabled):sudo ufw enable

Advanced UFW Configuration

For more granular control, you can specify source IPs or ranges:

# Allow port from specific IP
sudo ufw allow from 192.168.1.100 to any port YOUR_NEW_PORT proto tcp

# Allow port from specific subnet
sudo ufw allow from 192.168.1.0/24 to any port YOUR_NEW_PORT proto tcp

Verifying UFW Rules

# List all rules
sudo ufw status numbered

# Check specific port
sudo ufw status | grep YOUR_NEW_PORT

Troubleshooting UFW

If you accidentally block yourself:

# Temporarily disable UFW to regain access
sudo ufw disable

# Or allow SSH first (port 22)
sudo ufw allow 22/tcp

Step 3: Configuring Oracle VCN Security Lists

Oracle Cloud Infrastructure uses Security Lists (or Network Security Groups) to control network traffic at the VCN level. This is critical – even if Docker and UFW are configured correctly, traffic will be blocked if the Security List doesn’t allow it.

Accessing Security Lists

  1. Log into Oracle Cloud Console:
    • Navigate to: Networking → Virtual Cloud Networks
    • Select your VCN
  2. Locate Security Lists:
    • Click on Security Lists in the left sidebar
    • You’ll see a list of security lists (usually includes a default security list)

Adding Ingress Rule

  1. Select your Security List:
    • Click on the security list name (typically the default security list)
  2. Add Ingress Rule:
    • Click Add Ingress Rules
    • Fill in the following:
      • Source Type: CIDR
      • Source CIDR: 0.0.0.0/0 (for public access) or specific IP/subnet
      • IP Protocol: TCP
      • Destination Port Range: YOUR_NEW_PORT (e.g., 25566)
      • Description: Minecraft Server Port
  3. Click Add Ingress Rules

Example Security List Configuration

Here’s what a complete ingress rule looks like:

Stateless: No
Source Type: CIDR
Source CIDR: 0.0.0.0/0
IP Protocol: TCP
Source Port Range: All
Destination Port Range: 25566
Description: Minecraft Server Port

Removing Old Port Rules

If you’re changing ports, remove the old ingress rule:

  1. Find the rule with the old port number
  2. Click the three-dot menu (⋯) next to the rule
  3. Select Delete
  4. Confirm deletion

Using Network Security Groups (NSG)

If you’re using NSGs instead of Security Lists:

  1. Navigate to Networking → Network Security Groups
  2. Select the NSG attached to your compute instance
  3. Click Add Ingress Rules
  4. Configure the same way as Security Lists

OCI CLI Alternative

You can also manage Security Lists via the CLI:

# Add ingress rule via CLI
oci network security-list ingress-rule add \
  --security-list-id <SECURITY_LIST_OCID> \
  --ingress-rules '[{
    "source": "0.0.0.0/0",
    "protocol": "6",
    "isStateless": false,
    "tcpOptions": {
      "destinationPortRange": {
        "min": YOUR_NEW_PORT,
        "max": YOUR_NEW_PORT
      }
    },
    "description": "Minecraft Server Port"
  }]'

Finding Your Security List OCID

# List all security lists in your VCN
oci network security-list list \
  --compartment-id <COMPARTMENT_OCID> \
  --vcn-id <VCN_OCID> \
  --query "data[*].[id,display-name]" \
  --output table

Testing Your Configuration

After making changes across all three layers, verify everything is working:

1. Test Docker Port Binding

# Check if Docker is listening on the port
sudo netstat -tlnp | grep YOUR_NEW_PORT

# Should show something like:
# tcp6  0  0 :::YOUR_NEW_PORT  :::*  LISTEN  12345/docker-proxy

2. Test UFW Rules

# Check UFW allows the port
sudo ufw status | grep YOUR_NEW_PORT

# Test connection locally
telnet localhost YOUR_NEW_PORT
# or
nc -zv localhost YOUR_NEW_PORT

3. Test OCI Security List

# From your local machine (outside OCI)
telnet YOUR_SERVER_IP YOUR_NEW_PORT

# Or use Minecraft's built-in server list ping
# Open Minecraft → Multiplayer → Add Server
# Enter: YOUR_SERVER_IP:YOUR_NEW_PORT

4. Test via VPN/Tailscale Network (Debugging Step)

If you’re having connectivity issues, testing through a VPN like Tailscale can help isolate whether the problem is with public network access, firewall rules, or OCI Security List configuration.

Using Tailscale:

  1. Install Tailscale on your server:curl -fsSL https://tailscale.com/install.sh | sh sudo tailscale up
  2. Install Tailscale on your client machine (if not already installed):
  3. Get the Tailscale IP of your server:# On the server tailscale ip -4 # This will show your Tailscale IPv4 address (e.g., 100.x.x.x)
  4. Test connection through Tailscale:# From your client machine (connected to Tailscale) telnet YOUR_TAILSCALE_IP YOUR_NEW_PORT # Or in Minecraft: # Server Address: YOUR_TAILSCALE_IP:YOUR_NEW_PORT
  5. Interpreting the results:
    • ✅ If it works via Tailscale but not via public IP: The issue is likely with OCI Security List or UFW blocking public traffic
    • ✅ If it works via Tailscale: Docker and the application layer are correctly configured
    • ❌ If it doesn’t work via Tailscale: The issue is likely with Docker port mapping or the Minecraft server itself

Note: Tailscale creates a private mesh network, bypassing OCI Security Lists and most firewall rules. This makes it an excellent tool for debugging network connectivity issues.

5. Full Connectivity Test

Use online tools or Minecraft-specific testers:

Troubleshooting

Port Not Accessible

  1. Check Docker container logs:docker logs minecraft-server
  2. Verify port mapping:docker ps --format "table {{.Names}}\t{{.Ports}}"
  3. Check UFW is not blocking:sudo ufw status verbose
  4. Verify Security List rule:
    • Double-check in OCI Console
    • Ensure rule is enabled (not disabled)
    • Verify destination port matches exactly

Common Issues

Issue: Port changed but server not accessible

  • Solution: Check all three layers (Docker, UFW, OCI Security List)
  • Ensure you restarted Docker containers after changes
  • UFW changes take effect immediately
  • OCI Security List changes may take a few seconds

Issue: “Connection refused” error

  • Solution:
    • Verify Docker container is running: docker ps
    • Check Minecraft server logs for errors
    • Ensure the port in server.properties matches container port (usually 25565)

Issue: “Connection timed out”

  • Solution:
    • Check UFW rules: sudo ufw status
    • Verify OCI Security List allows traffic
    • Check if your instance has a public IP
    • Verify internet gateway is attached to your VCN

Issue: Can connect locally but not remotely

  • Solution:
    • OCI Security List likely blocking – verify ingress rules
    • Check if UFW allows from your IP specifically
    • Verify your instance’s public IP address
    • Debugging step: Try connecting via Tailscale/VPN network to isolate the issue:
      • If connection works via Tailscale → Problem is with OCI Security List or public firewall rules
      • If connection fails via Tailscale → Problem is with Docker or application configuration

Testing with VPN/Tailscale for Debugging

If you’re experiencing connectivity issues, using a VPN mesh network like Tailscale can help isolate the problem:

Why use Tailscale for debugging:

  • Bypasses OCI Security Lists (direct private network connection)
  • Helps identify if the issue is with public network configuration
  • Allows testing Docker/application layer independently of firewall rules

Quick Tailscale Test:

  1. On server: Get Tailscale IPtailscale ip -4
  2. From client (connected to same Tailscale network):# Test port connectivity nc -zv YOUR_TAILSCALE_IP YOUR_NEW_PORT # Or connect in Minecraft using: # YOUR_TAILSCALE_IP:YOUR_NEW_PORT
  3. Results:
    • ✅ Works via Tailscale → Fix OCI Security List/public firewall
    • ❌ Doesn’t work via Tailscale → Check Docker configuration and Minecraft server

Quick Diagnostic Commands

# Full diagnostic script
echo "=== Docker Status ==="
docker ps | grep minecraft

echo "=== Port Listening ==="
sudo netstat -tlnp | grep YOUR_NEW_PORT

echo "=== UFW Status ==="
sudo ufw status | grep YOUR_NEW_PORT

echo "=== Container Logs (last 20 lines) ==="
docker logs --tail 20 minecraft-server

Best Practices

  1. Use non-standard ports for security:
    • Default Minecraft port 25565 is a common target
    • Consider using ports like 25566, 25567, or higher
  2. Restrict source IPs when possible:
    • In OCI Security Lists, use specific CIDR blocks instead of 0.0.0.0/0
    • Configure UFW rules with source IP restrictions
  3. Document your changes:
    • Keep notes of port changes
    • Update any documentation or scripts that reference the old port
  4. Test incrementally:
    • Test Docker changes first (local)
    • Then UFW (from server itself)
    • Finally OCI Security List (from internet)
  5. Keep backups:
    • Backup your docker-compose.yml
    • Document Security List rules before changes

Summary

Changing Minecraft ports on OCI requires coordination across three layers:

  1. ✅ Docker Stack – Update port mappings in docker-compose.yml
  2. ✅ UFW Firewall – Add/remove firewall rules for the new port
  3. ✅ OCI Security List – Configure ingress rules in VCN Security Lists

Always verify changes at each layer before moving to the next, and test connectivity after all changes are complete. Following this guide ensures your Minecraft server remains accessible while maintaining proper security configurations.

Additional Resources

Posted

in

by

jcianci12

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *