• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Resolved Plesk Firewall and Samba

A

arriterx

New Pleskian
Server operating system version
Ubuntu 22.04.5 LTS
Plesk version and microupdate number
Version 18.0.64 Web Admin Edition
Hello,
i have big issue with Plesk Firewall

I use Plesk on Hetzner dedicated server and have StorageBox with Hetzner with Samba enabled.
So I used to mount.cifs the storagebox on my server without any problems.

From yesterday I have started to use the Plesk Firewall and I can understand what am i doing wrong in setting the Firewall that once I enable it I cant access to my mounted storagebox anymore. I do not have any samba shared drives on my server, I just want to access to my remote storagebox via samba.

Hetzner supports both IPv4 and IPv6 protocols and my server, as well as storagebox has ipv4+ipv6 addresses.
Here is the debug which I have done so far
When Plesk Firewall is disabled I have this output from
Bash: 
watch -n 1 "netstat -ve --numeric-ports | grep 445"
1728466125222.png

I see that connection from my server to storagebox is ESTABLISHED thru IPv6, and I can access my storagebox as always without any problems
My Plesk Firewall is set with this rules

1728466292868.png

When I enable Plesk Firewall shortly after ESTABLISHED connections disappears and I get this output from
Bash: 
watch -n 1 "netstat -ve --numeric-ports | grep 445"
1728466431334.png

The SYN_SENT line comes for a second and goes off.
As I know in TCP, every SYN should get ACK to establish TCP connection and I understand ACK is not received for Samba SYN request and is blocked by firewall.

Shouldn't Plesk Firewall be stateless? It acts like a stateful firewall, since it seems to refuse the ACK for not denied outgoing connection.

Is there a way to fix this, maybe manually adding a rule?

Need extremely urgent help if possible.

Thank you all in advance for help.

Best regards.
 
Hi,

Can you share your current iptables rules? You can get them by running:
Code: 
iptables -S

Plesk firewall adds the following rules which will match any traffic initiated by the server and block invalid requests:
Code: 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT

How do you actually connect to the SMB server?
 
Raul A. said:
Hi,

Can you share your current iptables rules? You can get them by running:
Code: 
iptables -S

Plesk firewall adds the following rules which will match any traffic initiated by the server and block invalid requests:
Code: 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT

How do you actually connect to the SMB server?
Click to expand...
Hello Raul,

thank you very much for your reply

Here are my iptables -S
Bash: 
root@ds2 ~ #

iptables -S

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport XXXXX -j ACCEPT
-A INPUT -p udp -m udp --dport 68 -j DROP
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 49152:65535 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 49152:65535 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 49152:65535 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 49152:65535 -j DROP
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 8447 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 8447 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8447 -j DROP
-A INPUT -s XX.XX.XX.XX/XX -p udp -m udp --dport 8443 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p udp -m udp --dport 8443 -j ACCEPT
-A INPUT -p udp -m udp --dport 8443 -j DROP
-A INPUT -p udp -m udp --dport 443 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -j DROP
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 8880 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 8880 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 8880 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 8880 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 8880 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8880 -j DROP
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j DROP
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s XX.XX.XX.XX/XX -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 587 -j DROP
-A INPUT -p tcp -m tcp --dport 25 -j DROP
-A INPUT -p tcp -m tcp --dport 465 -j DROP
-A INPUT -p tcp -m tcp --dport 110 -j DROP
-A INPUT -p tcp -m tcp --dport 995 -j DROP
-A INPUT -p tcp -m tcp --dport 143 -j DROP
-A INPUT -p tcp -m tcp --dport 993 -j DROP
-A INPUT -p tcp -m tcp --dport 106 -j DROP
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -p tcp -m tcp --dport 5432 -j DROP
-A INPUT -p udp -m udp --dport 137 -j DROP
-A INPUT -p udp -m udp --dport 138 -j DROP
-A INPUT -p tcp -m tcp --dport 139 -j DROP
-A INPUT -p tcp -m tcp --dport 445 -j DROP
-A INPUT -p udp -m udp --dport 53 -j DROP
-A INPUT -p tcp -m tcp --dport 53 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i lo -o lo -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT

Here is how my remote SMB storage for backup is connected
1728690947404.png
 
Hi,

I don't see any firewall issues here. On the INPUT chain you have the ``RELATED,ESTABLISHED`` rule and the OUTPUT chain has an accept all rule.
Thus your server can initiate connections to any external address. Any reply from the external address will be accepted in the firewall because of the ``RELATED,ESTABLISHED`` rule.

From your Plesk server can you test if the SMB server accepts connections on the 445 and 139 ports?
Code: 
echo 'exit' | telnet xxx.your-storagebox.de 445
echo 'exit' | telnet xxx.your-storagebox.de 139

A successful connection would be:
Trying xxx.your-storagebox.de...
Connected to xxx.your-storagebox.de.
Escape character is '^]'.
Connection closed by foreign host.
Click to expand...

A failed connection would be:
Trying xxx.your-storagebox.de...
telnet: Unable to connect to remote host: Connection refused
Click to expand...

What Mount interface is that? Is it in Plesk?

Did you try to mount the share using Linux mount tool?
 
Raul A. said:
Hi,

I don't see any firewall issues here. On the INPUT chain you have the ``RELATED,ESTABLISHED`` rule and the OUTPUT chain has an accept all rule.
Thus your server can initiate connections to any external address. Any reply from the external address will be accepted in the firewall because of the ``RELATED,ESTABLISHED`` rule.

From your Plesk server can you test if the SMB server accepts connections on the 445 and 139 ports?
Code: 
echo 'exit' | telnet xxx.your-storagebox.de 445
echo 'exit' | telnet xxx.your-storagebox.de 139

A successful connection would be:


A failed connection would be:


What Mount interface is that? Is it in Plesk?

Did you try to mount the share using Linux mount tool?
Click to expand...
Hello again Raul,

so telnet tests of SMB storage are the following
1728912090020.png
1728912143073.png

The mount interface is from Wemin 2.202, not from Plesk, since I have them both installed
The Webmin mount interface uses mount.cifs to mount the network drives.
I can't get where might be the issue, if you say that Plesk Firewall is setup well, but the connection with SMB drive cannot be established :(
 
Kaspar said:
Have you tried disabling the Firewall to see if that makes any difference?
Click to expand...
Hey Kaspar,

yes, I have tried. Everything described in my first post to this thread. Without Plesk Firewall SMS remote storage works like a charm, but i want Plesk Firewall enabled with necessary rules for SMB remote storage to work as well.
 
I don't see why the mount wouldn't work.

Since you have all the details saved on the system, try to run this while connected via SSH as root:
Code: 
mount -t cifs -o rw,vers=3.0,credentials=/etc/backup-credentials.txt,dir_mode=0775,file_mode=0775 //xxx.your-storagebox.de/backup /mnt/backup

to umount run:
Code: 
umount -t cifs /mnt/backup
 
Raul A. said:
I don't see why the mount wouldn't work.

Since you have all the details saved on the system, try to run this while connected via SSH as root:
Code: 
mount -t cifs -o rw,vers=3.0,credentials=/etc/backup-credentials.txt,dir_mode=0775,file_mode=0775 //xxx.your-storagebox.de/backup /mnt/backup

to umount run:
Code: 
umount -t cifs /mnt/backup
Click to expand...
Hello Raul!

There is no problem with mount, it works, but i get this when i try to connect

1728918069269.png

Once I disable the firewall it displays the SMB folder contents without a problem.

Are there any other tests I can perform to debug the problem, besides netstat?
 
The established connection on my side is from a random port to port 445
# ss -natp
State Recv-Q Send-Q Local Address:port Peer Address:port
ESTAB 0 0 172.18.44.37:55886 192.168.xx.231:445
Click to expand...
Can you try to remove the Source from the ``FTP Passive ports`` firewall rule?
 
Raul A. said:
The established connection on my side is from a random port to port 445

Can you try to remove the Source from the ``FTP Passive ports`` firewall rule?
Click to expand...
Consider that in my case the IPv6 is used
View attachment 27180

The SYN-SENT appears and after a second or two, disappers and this is what happens.
I have enabled allow all for FTP Passive Ports!
The current rule is
Code: 
-A INPUT -p tcp -m tcp --dport 49152:65535 -j ACCEPT

Does it works for IPv4 and IPv6 as well?
 
Raul A. said:
Plesk firewall sets both IPv4 and IPv6. You can check with:
Code: 
ip6tables -S
Click to expand...
Code: 
root@ds2 ~ # ip6tables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 546 -j DROP
-A INPUT -p tcp -m tcp --dport 49152:65535 -j ACCEPT
-A INPUT -p udp -m udp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j DROP
-A INPUT -p tcp -m tcp --dport 25 -j DROP
-A INPUT -p tcp -m tcp --dport 465 -j DROP
-A INPUT -p tcp -m tcp --dport 110 -j DROP
-A INPUT -p tcp -m tcp --dport 995 -j DROP
-A INPUT -p tcp -m tcp --dport 143 -j DROP
-A INPUT -p tcp -m tcp --dport 993 -j DROP
-A INPUT -p tcp -m tcp --dport 106 -j DROP
-A INPUT -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -p tcp -m tcp --dport 5432 -j DROP
-A INPUT -p udp -m udp --dport 137 -j DROP
-A INPUT -p udp -m udp --dport 138 -j DROP
-A INPUT -p tcp -m tcp --dport 139 -j DROP
-A INPUT -p tcp -m tcp --dport 445 -j DROP
-A INPUT -p udp -m udp --dport 53 -j DROP
-A INPUT -p tcp -m tcp --dport 53 -j DROP
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 130/0 -j DROP
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134/0 -j DROP
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135/0 -j DROP
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136/0 -j DROP
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137/0 -j DROP
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 128/0 -j ACCEPT
-A INPUT -p ipv6-icmp -m icmp6 --icmpv6-type 129/0 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i lo -o lo -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT

Is there something preventing the IPv6 SMB storage normal connection?
 
I don't see anything that would block the SMB connection.

Try to add an INPUT and an OUTPUT rule that will allow connection from and to the SMB server. Add both IPv4 and IPv6 addresses.

Code: 
iptables -I INPUT -s ipv4addr -j ACCEPT
ip6tables -I INPUT -s ipv6addr -j ACCEPT

iptables -I OUTPIT -d ipv4addr -j ACCEPT
ip6tables -I OUTPUT -d ipv6addr -j ACCEPT

This should bypass the firewall. Please let me know if with the above it allows you to connect to the SMB share.
 
Raul A. said:
I don't see anything that would block the SMB connection.

Try to add an INPUT and an OUTPUT rule that will allow connection from and to the SMB server. Add both IPv4 and IPv6 addresses.

Code: 
iptables -I INPUT -s ipv4addr -j ACCEPT
ip6tables -I INPUT -s ipv6addr -j ACCEPT

iptables -I OUTPIT -d ipv4addr -j ACCEPT
ip6tables -I OUTPUT -d ipv6addr -j ACCEPT

This should bypass the firewall. Please let me know if with the above it allows you to connect to the SMB share.
Click to expand...
Hey dear Raul,

the Hetzner storage Box should be added (and I actually use this method as well) via domain name (XXXXX.your-storagebox.de) and not via IPv4/IPv6 address since those are subject to change without any notice, only DNSname remain static.
Should I try to nslookup XXXXX.your-storagebox.de, get both current IPv4 + IPv6 and use rules you pointed out above to add them to iptables/ip6tables?

Thank you so much for trying to help me out!!!
 
Raul A. said:
Yes, You should try to get both IPv4 and IPv6 addresses and add accept rules for them.
Click to expand...
Hello again Raul, unfortunately no success.

The
Code: 
ss -natp
still shows that SYN-SENT are not acknowledged.
Maybe I should show you the scripts which are created by Plesk before enabling firewall rules?
They seem to have some info which is not shown in iptables/ip6tables. Maybe there is some bug there?
 
You must log in or register to reply here.

Similar threads

S
Issue Cant activate the plesk firewall
Replies
5
Views
802
martinez.marcias@gmai
M
J
Question Plesk Firewall is blocking requests even with configured rules
Replies
2
Views
341
Johnny9977
J
M
Issue Cannot bring http3 to domains.
Replies
14
Views
2K
MartinT
M
M
Issue Upgrade Debian 11.9 to 12 fails
Replies
0
Views
364
MartinT
M
N
Resolved Plesk Firewall Import create double entries
Replies
1
Views
474
NormanHuth
N
Back
Top