• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Issue Plesk firewall doesn't register iptables rules

S

SleuvinS

New Pleskian
I have plesk Onyx 17.5.3 installed on a Centos 7.3.1611.
I tried to use plesk firewall extension to secure the server, so I disabled firewalld and issued:
Code: 
service psa-firewall start
which gives me a succes message. However, when checking the iptables rules, I only found the three policies (INPUT DROP, FORWARD DROP, OUTPUT ACCEPT) and no more rules.
Here's the content of both firewall-active.sh and firewall-emergency.sh:

Code: 
#!/bin/sh
### Copyright 1999-2017. Parallels IP Holdings GmbH. All Rights Reserved.

echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

if [ -e "/proc/net/if_inet6" -a -n "`cat /proc/net/if_inet6`" -a -x "/sbin/ip6tables" ]; then
        /sbin/ip6tables -F
        /sbin/ip6tables -X
        /sbin/ip6tables -Z
        /sbin/ip6tables -P INPUT ACCEPT
        /sbin/ip6tables -P OUTPUT ACCEPT
        /sbin/ip6tables -P FORWARD ACCEPT
fi

On another hand, firewall-new.sh has a set of rules that match what I configured with the plesk firewall extension, preceded by a bash script (and I don't know how to read it):
Code: 
#!/bin/sh
### Copyright 1999-2017. Parallels IP Holdings GmbH. All Rights Reserved.

#!/bin/bash
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

set -e

echo 0 > /proc/sys/net/ipv4/ip_forward
([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains stop) >/dev/null 2>&1
|| true
(rmmod ipchains) >/dev/null 2>&1 || true

apply_rule()
{
        iptables_bin="$1"
        shift

        iptables_version=`/sbin/iptables --version | awk -F '.' '{print $2$3}'`

        # Use the native --wait option since v1.4.20
        if [ $iptables_version -gt 420 ]; then
                $iptables_bin -w $@ 2>/dev/null
fi

        # Emulate --wait for elderly versions
        for i in `seq 10`; do
                $iptables_bin $@ 2>&1 | grep -q xtable || return 0
                sleep 1
        done

        return 1
}

/sbin/iptables-save  -t filter | grep -- "-A INPUT" |  grep -v "fail2ban-\|f2b-" | sed -e "s#^-A#apply_rule /sbin/iptables -D#g" | xargs -0 echo -e "`declare -f apply_rule`\n" | /bin/bash



apply_rule /sbin/iptables -F FORWARD
apply_rule /sbin/iptables -F OUTPUT
apply_rule /sbin/iptables -Z FORWARD
apply_rule /sbin/iptables -Z OUTPUT

apply_rule /sbin/iptables -P INPUT DROP
apply_rule /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/iptables -A INPUT -m state --state INVALID -j DROP
apply_rule /sbin/iptables -P OUTPUT DROP
apply_rule /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/iptables -A OUTPUT -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
apply_rule /sbin/iptables -P FORWARD DROP
apply_rule /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/iptables -A FORWARD -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/iptables -A FORWARD -m state --state INVALID -j DROP

apply_rule /sbin/iptables -A INPUT -i lo  -j ACCEPT
apply_rule /sbin/iptables -A OUTPUT -o lo -j ACCEPT
apply_rule /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT

apply_rule /sbin/iptables -t mangle -F
apply_rule /sbin/iptables -t mangle -Z
apply_rule /sbin/iptables -t mangle -P PREROUTING ACCEPT
apply_rule /sbin/iptables -t mangle -P OUTPUT ACCEPT
apply_rule /sbin/iptables -t mangle -P INPUT ACCEPT
apply_rule /sbin/iptables -t mangle -P FORWARD ACCEPT
apply_rule /sbin/iptables -t mangle -P POSTROUTING ACCEPT


apply_rule /sbin/iptables -t nat -F
apply_rule /sbin/iptables -t nat -Z
apply_rule /sbin/iptables -t nat -P PREROUTING ACCEPT
apply_rule /sbin/iptables -t nat -P OUTPUT ACCEPT
apply_rule /sbin/iptables -t nat -P POSTROUTING ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 8447 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 205 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 12443 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 11443 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 11444 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 8447 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -s 77.128.175.150 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -s 77.128.175.150 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 21 -s 77.128.175.150 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 21 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 22 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 587 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 25 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 465 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 110 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 995 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 143 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 993 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 106 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP

apply_rule /sbin/iptables -A INPUT -p udp --dport 137 -j DROP
apply_rule /sbin/iptables -A INPUT -p udp --dport 138 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 445 -j DROP

apply_rule /sbin/iptables -A INPUT -p udp --dport 1194 -j DROP

apply_rule /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -s 151.80.118.11/32 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -s 167.114.37.0/24 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -s 77.128.175.150 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -s 92.222.184.0/24 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -s 92.222.185.0/24 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -s 92.222.186.0/24 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j DROP

apply_rule /sbin/iptables -A INPUT -j DROP

apply_rule /sbin/iptables -A OUTPUT -j ACCEPT

apply_rule /sbin/iptables -A FORWARD -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward
#
# End of script
#

(ping rules are set to let OVH monitor the server) That support page doesn't give the location of plesk firewall logs, where should I look at?

Also it seems that I have trouble with let's encrypt extension (message: "Challenge marked as invalid. Could not connect to [mydomain.tld]" ) and with the updates and upgrades page (loading until time-out), could it be linked somehow? Like the modules that doesn't communicate with plesk core or whatever? I must precise I have both SELinux on permissive mode and Modsecurity (OWASP rules) on detection only mode.

EDIT:

As psa-firewall didn't seem to work well, I decided to stay with firewalld, but I forgot to disable the plesk firewall in the plesk admin panel, I just went with
Code: 
service psa-firewall stop
and today, I realized all iptables rules have been flushed again.
 
Last edited:
You must log in or register to reply here.

Similar threads

A
Question Plesk firewall - CrowdSec iptables interaction
Replies
3
Views
368
andg
A
D
Issue Plesk Firewall does not add changes to zone (CloudLinux)
Replies
4
Views
754
Kaspar@Plesk
Kaspar@Plesk
squaladesign
Issue Plesk Migration Fail to connect servers together
Replies
6
Views
388
Sebahat.hadzhi
Sebahat.hadzhi
J
Question Plesk Firewall is blocking requests even with configured rules
Replies
2
Views
1K
Johnny9977
J
A
Resolved Plesk Firewall and Samba
2
Replies
22
Views
2K
Raul A.
R
Back
Top