Plesk Firewall blocks opened ports

[Zane901267]

Hey there,

I've a little problem. I've configured my firewall to block every connections except those, for which I've defined a rule. After saving the configuration, even restarting my server the firewall still blocks the opened ports. The only solution for getting a connection is to activate the System polices for outgoing/incoming traffic but this can't be the solution for this, or do I understand the explanation of the rules wrong? As I understand it, the firewall should block all connections except those which I've just defined to be opened.
For example, I've opened port 80 and 443 for downloading some of my software for my server but the firewall blocks that.
On the internet I do not really find an appropriate solution, I hope that I will find a solution here.

Greetings,
Lucas

 

[Tozz]

Not enough information to reply anything usefull. Please paste your iptables-save output and make a screenshot of your Plesk firewall settings.

 

[Zane901267]

Okay, here are the missing informations.
First the output from iptables

# Generated by iptables-save v1.4.16.3 on Sun May 4 14:56:40 2014
*nat
REROUTING ACCEPT [13:776]
OSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [20:1436]
COMMIT
# Completed on Sun May 4 14:56:40 2014
# Generated by iptables-save v1.4.16.3 on Sun May 4 14:56:40 2014
*mangle
REROUTING ACCEPT [805:59904]
:INPUT ACCEPT [805:59904]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [667:276224]
OSTROUTING ACCEPT [647:274788]
COMMIT
# Completed on Sun May 4 14:56:40 2014
# Generated by iptables-save v1.4.16.3 on Sun May 4 14:56:40 2014
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 11443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 11444 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8447 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8880 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 106 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9008 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9080 -j ACCEPT
-A INPUT -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i lo -o lo -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
-A OUTPUT -m conntrack --ctstate INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 5224 -j ACCEPT
-A OUTPUT -j DROP
COMMIT
# Completed on Sun May 4 14:56:40 2014

and second the screenshot from my firewall configuration. I've changed the panel language to english, however, my custom rules are still on German.




Operating System is openSUSE 12.3

Greetings,
Lucas

 

[Tozz]

Okay, both the iptables outputand your screenshot seem to allow tcp/80 both in- and outgoing. So if you are still unable to connect to external webservices I doubt this is the source of your problem.

However, do understand that you are blocking _all_ outgoing traffic, except for established connections. For example, if I read your config correctly you are blocking outgoing DNS requests. Perhaps that is why you are unable to connect to external services?

What does wget output show? eg. run:
wget http://www.google.com/ -4

Personally I dont believe in iptables blocking ports. Ports that you dont want to be publicly accessible shouldn't be listening on your external interface in the first place. Especially CentOS has a habbit of running/installing all kind of useless services such as gpm, portmap, etc. Just deinstall those services. If you have a system that only accepts connections to ports you actually want (eg, only ftp, web and mail services) you dont need to block other ports. Blocking outgoing ports is only frustrating to your users, if they want to legitimately use external services. But that is just my 0.02

 

[Zane901267]

I've configured my system after a recommendation, that only connections that I explicitly allowed to be admitted.
Now, after I've allowed outgoing DNS requests, I get a connection again. Seems that this was my problem.
The firewall configuration on Windows was a little easier than on Linux. I'm just moving to Linux at the moment.
I've assumed that Linux or Plesk brings the necessary predefined rules, where I had similar problems as under Windows, first time.

Greetings,
Lucas

 

[Tozz]

I disagree with the recommendation you got. For multiple reasons:

This firewall will prevent both legitimate and rouge connections. So, this might prevent your users to retrieve data from legitimate sources, and it will also block outgoing connections that might occur due to some site participating in a botnet or something like that. However, it does _not_ protect your server from being hacked in the first place. It might actually prevent you from noticing the hack, because the (often fully automatic) evil code is unable to establish connection to a botnet server or C&C machine.

So if your aim with this firewall is to prevent getting hacked, it wont work. You might as well disable the firewall if that is the sole purpose. This firewall only prevents connections that might occur after your site/server has been hacked, but it will also block connections to legitimate destinations.

To sum things up:
1) This firewall does not prevent your server getting hacked. Nor does it make it harder for an attacker. 99.9% of the hacks today are done by hacking server side scripts, such as PHP sites (Joomla/WordPress).
2) This firewall can (and will sooner or later) prevent legitimate access to remote services. You just confirmed this by having your DNS firewalled, causing problems.
3) This firewall will also prevent (from what I can see) FTP connections, as you are blocking all in- and outgoing ports except those that you specified.
4) This firewall could prevent you from noticing that a site got hacked

Just my 0.02.

Glad that your issue is fixed tho

 

[Zane901267]

So, thanks for your help and your tips. I think I'll check my configuration once more and read more about the topic.

Greetings,
Lucas