Issue Gateway 'sort of not working'

AHAutomation · Mar 7, 2020

CentOS Linux 7.4.1708 (Core) Plesk Onyx Version 17.8.11 Update #83, last updated on Feb 26, 2020 03:41 AM

Problem:
ping to gateway ip or to 8.8.8.8 is not working.
Internal DNS/ping is working.
So e-mails are not send out, becuase domains cannot be resolved.
Updates for different extensions are not working etc.

Happend after:
This all happend after enabling 'IP Address Banning', but reverting does not help.
But maybe it was already there, we didnt noticed, because all websites on the Plesk server are working properly.

Firewall rule:
‘System policy for outgoing traffic’ = Allow all other outgoing traffic
No other ‘outgoing’ rules specified

Please let me know, if any further detials could be of help, with determine the issue.

Peter

AHAutomation · Mar 9, 2020

Anyone?

AHAutomation · Mar 9, 2020

Tonight did some testing with the Firewall. And it works again.

Well its very strange.
After switching off the firewall, within the Plesk environment, restart the server, then ping to the gateway and 8.8.8.8 worked again.

Ok, so, after whitelisting the following 4 firewall rules, the Gateway gets mixed up and stops working.

MySQL server	Allow incoming from 1.2.3.4
PostgreSQL server	Allow incoming from 1.2.3.4
rule__service_tomcat	Allow incoming from 1.2.3.4
Samba (file sharing in Windows networks)	Allow incoming from 1.2.3.4

The following script is generated for after applying a whitelist for MySQL:

#!/bin/bash
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.
set -e
echo 0 > /proc/sys/net/ipv4/ip_forward
([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains stop) >/dev/null 2>&1 || true
(rmmod ipchains) >/dev/null 2>&1 || true
apply_rule()
{
iptables_bin="$1"
shift
iptables_version=`/sbin/iptables --version | awk -F '.' '{print $2$3}'`
# Use the native --wait option since v1.4.20
if [ $iptables_version -gt 420 ]; then
$iptables_bin -w $@ 2>/dev/null
return $?
fi
# Emulate --wait for elderly versions
for i in `seq 10`; do
$iptables_bin $@ 2>&1 | grep -q xtable || return 0
sleep 1
done
return 1
}
/sbin/iptables-save -t filter | grep -- "-A INPUT" | grep -v "fail2ban-\|f2b-" | sed -e "s#^-A#apply_rule /sbin/iptables -D#g" | xargs -0 echo -e "`declare -f apply_rule`\n" | /bin/bash
apply_rule /sbin/iptables -F FORWARD
apply_rule /sbin/iptables -F OUTPUT
apply_rule /sbin/iptables -Z FORWARD
apply_rule /sbin/iptables -Z OUTPUT
apply_rule /sbin/iptables -P INPUT DROP
apply_rule /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/iptables -A INPUT -m state --state INVALID -j DROP
apply_rule /sbin/iptables -P OUTPUT DROP
apply_rule /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
apply_rule /sbin/iptables -P FORWARD DROP
apply_rule /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/iptables -A FORWARD -m state --state INVALID -j DROP
apply_rule /sbin/iptables -A INPUT -i lo -j ACCEPT
apply_rule /sbin/iptables -A OUTPUT -o lo -j ACCEPT
apply_rule /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
apply_rule /sbin/iptables -t mangle -F
apply_rule /sbin/iptables -t mangle -Z
apply_rule /sbin/iptables -t mangle -P PREROUTING ACCEPT
apply_rule /sbin/iptables -t mangle -P OUTPUT ACCEPT
apply_rule /sbin/iptables -t mangle -P INPUT ACCEPT
apply_rule /sbin/iptables -t mangle -P FORWARD ACCEPT
apply_rule /sbin/iptables -t mangle -P POSTROUTING ACCEPT

apply_rule /sbin/iptables -t nat -F
apply_rule /sbin/iptables -t nat -Z
apply_rule /sbin/iptables -t nat -P PREROUTING ACCEPT
apply_rule /sbin/iptables -t nat -P OUTPUT ACCEPT
apply_rule /sbin/iptables -t nat -P POSTROUTING ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 30000:30400 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 12443 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 11443 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 11444 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 8447 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 22 -s 1.2.3.4 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 22 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 587 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 106 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 3306 -s 1.2.3.4 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 5432 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 9008 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 9080 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p udp --dport 137 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p udp --dport 138 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 139 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 445 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -j DROP
apply_rule /sbin/iptables -A OUTPUT -j ACCEPT
apply_rule /sbin/iptables -A FORWARD -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# End of script
#

mow · Mar 10, 2020

AHAutomation said:
Firewall rule:
‘System policy for outgoing traffic’ = Allow all other outgoing traffic
No other ‘outgoing’ rules specified

However the generated script states
apply_rule /sbin/iptables -P OUTPUT DROP
which is exactly the opposite, Deny all other outgoing traffic, and as you have no other rules, only established/related connections (that were initiated from outside) are allowed by
apply_rule /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
(the other two lines are there to reject or drop corrupted or intentionally crafted invalid packets)

Issue Gateway 'sort of not working'

AHAutomation

New Pleskian

AHAutomation

New Pleskian

AHAutomation

New Pleskian

mow

Silver Pleskian

Similar threads