Question IPv4 forwarding rule

[FloLa]

Server operating system version

Debian 10.0

Plesk version and microupdate number

Plesk Obsidian v18.0.68_build1800250319.12

I have a management server with a public IP address, and I want to give my VMs, all of which are accessible internally with a 10-series IP address and don't have a public Internet connection, access to the internet so that updates, etc., are possible, but they aren't accessible from outside.

I found the following solution:

In: /etc/sysctl.conf
Change: net.ipv4.ip_forward=1
Save: sysctl -p

Now only one firewall entry needs to be changed which looks like this and this is exactly where I think the problem lies:

apt install netfilter-persistent
netfilter-persistent save

iptables -t nat -A POSTROUTING -s <ip-net> -o <interface> -j MASQUERADE

As far as I remember, Plesk uses IPTables and overwrites the rules whenever a change occurs.
Is there a way to implement the above rule in Plesk, or do I need to create a separate VM that is solely responsible for network operations?

I am grateful for any answers or suggestions.

 

[scsa20]

If your server is behind a firewall or a third party proxy meaning your server has a private IP address you will need to tell it what the public IP address is as well for it knows for internal DNS and what not. This can be done by going to Tools & Settings > Tools & Resources > IP Addresses, click on the private IP address in question and set the public IP address to the IP address that is public to the internet for accessing the firewall or third party proxy. That SHOULD fix the main problem as long as the forwarding on the firewall or proxy is configured correctly.

 

[alvarezcruz]

Plesk will only touch your iptables rules if you enable Plesk Firewall. Just uninstall that and use the system firewall or an external firewall instead.

 

[FloLa]

Plesk will only touch your iptables rules if you enable Plesk Firewall. Just uninstall that and use the system firewall or an external firewall instead.

What matters to me is that I can use both at the same time, that's nothing special.

 

[FloLa]

If your server is behind a firewall or a third party proxy meaning your server has a private IP address you will need to tell it what the public IP address is as well for it knows for internal DNS and what not. This can be done by going to Tools & Settings > Tools & Resources > IP Addresses, click on the private IP address in question and set the public IP address to the IP address that is public to the internet for accessing the firewall or third party proxy. That SHOULD fix the main problem as long as the forwarding on the firewall or proxy is configured correctly.

This isn't really what I'm concerned about, but rather that I can use the Plesk firewall and IP forwarding at the same time.

 

[Kaspar]

As far as I remember, Plesk uses IPTables and overwrites the rules whenever a change occurs.
Is there a way to implement the above rule in Plesk [...]

See Issue - Rigid firewall configuration.

 

[alvarezcruz]

Yes, what he said. Use the event manager to add the rule every time there's a change. You can ask if you need more specific steps for that.

 

[FloLa]

Yes, what he said. Use the event manager to add the rule every time there's a change. You can ask if you need more specific steps for that.

Okay, thanks for the information.
Are there precise instructions on how to enter it using the Event Manager?

Thanks in advance.

 

[alvarezcruz]

Yes, the docs have some: Event Handlers | Plesk Obsidian documentation. It's just adding an event handler in Tools & Settings > Even Manager.
But more specific to you, I think the setting you're looking for is "Firewall rules activated." I haven't tried this before, so you should test to make sure it adds the rule correctly every time there's an update. Let me know if it kind of works and maybe we can figure out how to script it properly.