• Introducing WebPros Cloud - a fully managed infrastructure platform purpose-built to simplify the deployment of WebPros products !  WebPros Cloud enables you to easily deliver WebPros solutions — without the complexity of managing the infrastructure.
    Join the pilot program today!
  • Support for BIND DNS has been removed from Plesk for Windows due to security and maintenance risks.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS.

Issue Persistent iptables DROP Rule for Docker Container IP 172.17.0.2

Phantasia

Phantasia

New Pleskian
Server operating system version
Ubuntu 22.04.5 LTS
Plesk version and microupdate number
Plesk Obsidian v18.0.70_build1800250617.10 os_Ubuntu 22.04
Hello everyone,

I’m running Plesk Obsidian 18.0.70 on Ubuntu 22.04 and have recently started using Docker (e.g. to host Open WebUI).

Since then, I’ve noticed that a DROP rule against 172.17.0.2 (the Docker bridge IP) keeps getting automatically reinserted into the iptables INPUT chain – likely every 60 seconds or so:

Code: 
DROP all -- 172.17.0.2  0.0.0.0/0

This completely blocks external access to the container, even though it is behind a reverse proxy and should be reachable via HTTPS.

After some investigation, I traced the rule back to this script:

Code: 
/opt/psa/var/modules/firewall/firewall-active.sh


As a temporary workaround, I’ve created a cronjob that deletes the rule every minute – but the real issue persists in the background.

Important notes:
- I’ve created allow-rules for 172.17.0.2 via the Plesk Firewall GUI several times. They seem to have no effect.
- I’m on Docker 28.2.2, build e6534b4, so I’m well beyond the version where the known issue was supposedly fixed (see: this thread).

So my questions:
  • Was the Docker fix in 28.0.1 only temporary or incomplete?
  • Or is this an issue with Plesk Firewall rewriting rules incorrectly?
  • Is there a proper (update-safe) way to allow internal Docker traffic via 172.17.x.x?

Any help or insight would be greatly appreciated!
 
This is a docker thing not a Plesk thing. You would want to expose a port that is map to a port in the container itself then create the proxy to said exposed port of the container.

For example, let's say you are running a container which has it's own web server running on port 80. Since port 80 is used by Plesk you would need to expose a different port that is map to port 80. Here's a screen shot of how one of mine is set up as: 1750779294189.png
In this example I have port 90 exposed to the host that is mapped to port 80 of the container. This will then allows me to create a docker proxy on my domain to proxy it to said container (you could also just add a custom nginix directive to do the proxying as well like I did with another container).

Hope this explains it.
 
You must log in or register to reply here.

Similar threads

QWeb Ric
Question Has anybody gotten Mastodon hosting to work with the Docker extension?
Replies
2
Views
655
QWeb Ric
QWeb Ric
D
Resolved Looking for tutorial/information on how to install Matrix Docker container
Replies
4
Views
3K
David Borrink
D
S
Issue cannot connect to remote mysql form specific docker container
Replies
0
Views
698
stefanoostwegel
S
S
Question Plesk Firewall do not block connections to Docker container
Replies
0
Views
2K
shopuser
S
propz
Question Best way to include persistent Docker data in Plesk Backups?
Replies
2
Views
2K
propz
propz
Back
Top