Resolved Plesk firewall disables ipv6 incoming and outgoing

[Julian Hossack]

I am currently migrating my plesk server to another ( ubuntu 16.04 onyx to ubuntu 18.04 obsidian both dedicated cloud server with 1und1 / ionos) and noticed my let encrypt renewal failed on the new server. After some testing i discovered that with the plesk firewall on it would block all ipv6 traffic outgoing ( ping6 google.com gives network unavailable) and incoming ipv6 traffic . Disabling plesk firewall followed by a server reset would enable ipv6 again. Lets encrypt will now successfully renew the certificate .All rules in the firewall are set to allow.

Enabling the firewall will instantly kill ipv6 incoming and outgoing.

Any suggestions?

 

[Brujo]

unfortunately this issue was reportet early 2018 and seems still to exist.Here is the workaround for it: IPv6 traffic doesn't work anymore after set System policy for outgoing traffic to Deny: No route to host.

Would be nice if the workarround helps you to leave a comment on the knowledgebase article that it still exist also under Obsidian

 

[Julian Hossack]

couldnt get this to work . in the file /usr/local/psa/var/modules/firewall/firewall-active.sh there is no occurence of

apply_rule /sbin/iptables -A OUTPUT -j DROP - probably looks different because this is for obsidian.
I tried adding it before this instead

apply_rule /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

but no luck - still all incoming and outgoing ipv6 traffic is blocked.

and im not sure how to do that manually. the instructions for it are not very clear at least for my limited understanding.

 

[Brujo]

if you enable the firewall whats the output of
# ip6tables -L

 

[Julian Hossack]

Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP all anywhere anywhere state INVALID
ACCEPT all anywhere anywhere
ACCEPT tcp anywhere anywhere tcp dpts:49152:65535
ACCEPT tcp anywhere anywhere tcp dpt:12443
ACCEPT tcp anywhere anywhere tcp dpt:11443
ACCEPT tcp anywhere anywhere tcp dpt:11444
ACCEPT tcp anywhere anywhere tcp dpt:8447
ACCEPT tcp anywhere anywhere tcp dpt:8443
ACCEPT tcp anywhere anywhere tcp dpt:8880
ACCEPT tcp anywhere anywhere tcp dpt:http
ACCEPT tcp anywhere anywhere tcp dpt:https
ACCEPT tcp anywhere anywhere tcp dpt:ftp
ACCEPT tcp anywhere anywhere tcp dpt:ssh
ACCEPT tcp anywhere anywhere tcp dpt:submission
DROP tcp anywhere anywhere tcp dpt:smtp
DROP tcp anywhere anywhere tcp dpt:urd
DROP tcp anywhere anywhere tcp dptop3
DROP tcp anywhere anywhere tcp dptop3s
DROP tcp anywhere anywhere tcp dpt:imap2
DROP tcp anywhere anywhere tcp dpt:imaps
DROP tcp anywhere anywhere tcp dptoppassd
ACCEPT tcp anywhere anywhere tcp dpt:mysql
ACCEPT tcp anywhere anywhere tcp dptostgresql
ACCEPT udp anywhere anywhere udp dpt:netbios-ns
ACCEPT udp anywhere anywhere udp dpt:netbios-dgm
ACCEPT tcp anywhere anywhere tcp dpt:netbios-ssn
ACCEPT tcp anywhere anywhere tcp dpt:microsoft-ds
ACCEPT udp anywhere anywhere udp dpt:domain
ACCEPT tcp anywhere anywhere tcp dpt:domain
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 134 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 135 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 136 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 137 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 128 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 129 code 0
DROP all anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP all anywhere anywhere state INVALID
ACCEPT all anywhere anywhere
DROP all anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all anywhere anywhere state RELATED,ESTABLISHED
REJECT tcp anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP all anywhere anywhere state INVALID
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere

 

[Julian Hossack]

ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 134 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 135 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 136 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 137 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 128 code 0
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmptype 129 code 0

i believe this part was added by me in /usr/local/psa/var/modules/firewall/firewall-active.sh from the previous suggestion you made

 

[Julian Hossack]

this is the script file

#!/bin/bash
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

set -e

echo 0 > /proc/sys/net/ipv4/ip_forward
([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains stop) >/dev/null 2>&1 || true
(rmmod ipchains) >/dev/null 2>&1 || true

apply_rule()
{
iptables_bin="$1"
shift

iptables_version=`/sbin/iptables --version | awk -F '.' '{print $2$3}'`

# Use the native --wait option since v1.4.20
if [ $iptables_version -gt 420 ]; then
$iptables_bin -w $@ 2>/dev/null
return $?
fi

# Emulate --wait for elderly versions
for i in `seq 10`; do
$iptables_bin $@ 2>&1 | grep -q xtable || return 0
sleep 1
done

return 1
}

/sbin/iptables-save -t filter | grep -- "-A INPUT" | grep -v "fail2ban-\|f2b-" | sed -e "s#^-A#apply_rule /sbin/iptables -D#g" | while read -r cmd; do ${cmd} || true; done

apply_rule /sbin/iptables -F FORWARD
apply_rule /sbin/iptables -F OUTPUT
apply_rule /sbin/iptables -Z FORWARD
apply_rule /sbin/iptables -Z OUTPUT

apply_rule /sbin/iptables -P INPUT DROP
apply_rule /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/iptables -A INPUT -m state --state INVALID -j DROP
apply_rule /sbin/iptables -P OUTPUT DROP
apply_rule /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
apply_rule /sbin/iptables -P FORWARD DROP
apply_rule /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/iptables -A FORWARD -m state --state INVALID -j DROP

apply_rule /sbin/iptables -A INPUT -i lo -j ACCEPT
apply_rule /sbin/iptables -A OUTPUT -o lo -j ACCEPT
apply_rule /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT

apply_rule /sbin/iptables -t mangle -F
apply_rule /sbin/iptables -t mangle -Z
apply_rule /sbin/iptables -t mangle -P PREROUTING ACCEPT
apply_rule /sbin/iptables -t mangle -P OUTPUT ACCEPT
apply_rule /sbin/iptables -t mangle -P INPUT ACCEPT
apply_rule /sbin/iptables -t mangle -P FORWARD ACCEPT
apply_rule /sbin/iptables -t mangle -P POSTROUTING ACCEPT


apply_rule /sbin/iptables -t nat -F
apply_rule /sbin/iptables -t nat -Z
apply_rule /sbin/iptables -t nat -P PREROUTING ACCEPT
apply_rule /sbin/iptables -t nat -P OUTPUT ACCEPT
apply_rule /sbin/iptables -t nat -P POSTROUTING ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 49152:65535 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 12443 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 11443 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 11444 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 8447 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 587 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 25 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 465 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 110 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 995 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 143 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 993 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 106 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 3306 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 5432 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p udp --dport 137 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p udp --dport 138 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 139 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 445 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -j DROP

apply_rule /sbin/iptables -A OUTPUT -j ACCEPT

apply_rule /sbin/iptables -A FORWARD -j DROP


echo 1 > /proc/sys/net/ipv4/ip_forward

echo 0 > /proc/sys/net/ipv6/conf/all/forwarding
([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains stop) >/dev/null 2>&1 || true
(rmmod ipchains) >/dev/null 2>&1 || true

apply_rule()
{
iptables_bin="$1"
shift

iptables_version=`/sbin/ip6tables --version | awk -F '.' '{print $2$3}'`

# Use the native --wait option since v1.4.20
if [ $iptables_version -gt 420 ]; then
$iptables_bin -w $@ 2>/dev/null
return $?
fi

# Emulate --wait for elderly versions
for i in `seq 10`; do
$iptables_bin $@ 2>&1 | grep -q xtable || return 0
sleep 1
done

return 1
}

/sbin/ip6tables-save -t filter | grep -- "-A INPUT" | grep -v "fail2ban-\|f2b-" | sed -e "s#^-A#apply_rule /sbin/ip6tables -D#g" | while read -r cmd; do ${cmd} || true; done

apply_rule /sbin/ip6tables -F FORWARD
apply_rule /sbin/ip6tables -F OUTPUT
apply_rule /sbin/ip6tables -Z FORWARD
apply_rule /sbin/ip6tables -Z OUTPUT

apply_rule /sbin/ip6tables -P INPUT DROP
apply_rule /sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/ip6tables -A INPUT -m state --state INVALID -j DROP
apply_rule /sbin/ip6tables -P OUTPUT DROP
apply_rule /sbin/ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/ip6tables -A OUTPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/ip6tables -A OUTPUT -m state --state INVALID -j DROP
apply_rule /sbin/ip6tables -P FORWARD DROP
apply_rule /sbin/ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/ip6tables -A FORWARD -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/ip6tables -A FORWARD -m state --state INVALID -j DROP

apply_rule /sbin/ip6tables -A INPUT -i lo -j ACCEPT
apply_rule /sbin/ip6tables -A OUTPUT -o lo -j ACCEPT
apply_rule /sbin/ip6tables -A FORWARD -i lo -o lo -j ACCEPT

apply_rule /sbin/ip6tables -t mangle -F
apply_rule /sbin/ip6tables -t mangle -Z
apply_rule /sbin/ip6tables -t mangle -P PREROUTING ACCEPT
apply_rule /sbin/ip6tables -t mangle -P OUTPUT ACCEPT
apply_rule /sbin/ip6tables -t mangle -P INPUT ACCEPT
apply_rule /sbin/ip6tables -t mangle -P FORWARD ACCEPT
apply_rule /sbin/ip6tables -t mangle -P POSTROUTING ACCEPT


apply_rule /sbin/ip6tables -t nat -F
apply_rule /sbin/ip6tables -t nat -Z
apply_rule /sbin/ip6tables -t nat -P PREROUTING ACCEPT
apply_rule /sbin/ip6tables -t nat -P OUTPUT ACCEPT
apply_rule /sbin/ip6tables -t nat -P POSTROUTING ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 49152:65535 -j ACCEPT

apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 12443 -j ACCEPT

apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 11443 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 11444 -j ACCEPT

apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 8447 -j ACCEPT

apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 8443 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 8880 -j ACCEPT

apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT

apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT

apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT

apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 587 -j ACCEPT

apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 25 -j DROP
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 465 -j DROP

apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 110 -j DROP
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 995 -j DROP

apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 143 -j DROP
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 993 -j DROP

apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 106 -j DROP

apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 3306 -j ACCEPT

apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 5432 -j ACCEPT

apply_rule /sbin/ip6tables -A INPUT -p udp --dport 137 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p udp --dport 138 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 139 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 445 -j ACCEPT

apply_rule /sbin/ip6tables -A INPUT -p udp --dport 53 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p tcp --dport 53 -j ACCEPT

apply_rule /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 134/0 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 135/0 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 136/0 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 137/0 -j ACCEPT

apply_rule /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 128/0 -j ACCEPT
apply_rule /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 129/0 -j ACCEPT

apply_rule /sbin/ip6tables -A INPUT -j DROP

apply_rule /sbin/ip6tables -A OUTPUT -j ACCEPT

apply_rule /sbin/ip6tables -A FORWARD -j DROP


echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

#
# End of script
#

 

[Julian Hossack]

ive had help from someone that knows linux very well and we needed to add this line to /etc/network/interfaces

post-up ip -6 route add default via fe80::1 dev eth0

and now everything seems to work for ipv6 - incomeing and outgoing

 

[Julian Hossack]

to be more exact and to maybe help others.
With the firewall turned off and after a reboot we did this command

ip -6 r s

this gave us ( which is missing with the firewall on)

xxxxxxxxxxx dev eth0 proto kernel metric 256 pref medium
xxxxxxxxxxx dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev veth30b1c17 proto kernel metric 256 pref medium
fe80::/64 dev docker0 proto kernel metric 256 pref medium
default via fe80::1 dev eth0 proto ra metric 1024 expires 2sec hoplimit 64 pref high

which gave us the fe80::1

hence the

post-up ip -6 route add default via fe80::1 dev eth0

as written above.

Hope this can maybe help someone with a similar problem.

 

[learning_curve]

@Julian Hossack We can see in your opening post that, like us, you are using Obsidian / Ubuntu 18.04 / IONOS Cloud Servers. We were an early adopter of running Ubuntu 18.04 on an IONOS Cloud Server and some time ago, we did have an IPv6 access error, which was slightly different than yours, but the end resolution involved a very similar tracing process FWIW Our own IPv6 access error had no relation to the Plesk firewall (switching that on or off made no difference), it was only, the content of the provided by default, IONOS /etc/network/interfaces file (see below). Ours was never a Plesk related error, but great that regardless, you've solved yours, yourself now anyway.

Ubuntu 16.04 uses ifupdown by default, but Ubuntu 18.04 uses netplan by default. However, IONOS re-structure Ubuntu 18.04 on their provided cloud server disc images, so that it does use ifupdown and not netplan by default. This is necessary, so IONOS say, to ensure that their Ubuntu 18.04 cloud servers, work perfectly on all of their own very comprehensive, network setups & to be fair if / when configured correctly, then they usually do.

What's not always made clear to any IONOS cloud server customers anywhere though (i.e. those who maintain their own cloud server, not those who use a managed service cloud server) is that when adding IPv6 to an IONOS Ubuntu 18.04 cloud server, the provided by default IONOS /etc/network/interfaces file, might then, not be configured correctly, so it will need checking and possibly re-configuring. The onus for checking and re-configuring (if needed) is exclusivey on the customer's cloud server administrator, not IONOS themselves, which, is fair enough for this type of IONOS product / service.

Fortunately, IONOS have worked on providing more written support online & they've since published some more useful guidance on this specific topic RIGHT HERE on this page, which as you'll see, does cover the inclusion of: gateway fe80::1 in relation to IPv6.