Issue Plesk firewall doesn't register iptables rules

[SleuvinS]

I have plesk Onyx 17.5.3 installed on a Centos 7.3.1611.
I tried to use plesk firewall extension to secure the server, so I disabled firewalld and issued:

service psa-firewall start

which gives me a succes message. However, when checking the iptables rules, I only found the three policies (INPUT DROP, FORWARD DROP, OUTPUT ACCEPT) and no more rules.
Here's the content of both firewall-active.sh and firewall-emergency.sh:

Expand/Collapse Block

#!/bin/sh
### Copyright 1999-2017. Parallels IP Holdings GmbH. All Rights Reserved.

echo 0 > /proc/sys/net/ipv4/ip_forward
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -Z
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

if [ -e "/proc/net/if_inet6" -a -n "`cat /proc/net/if_inet6`" -a -x "/sbin/ip6tables" ]; then
        /sbin/ip6tables -F
        /sbin/ip6tables -X
        /sbin/ip6tables -Z
        /sbin/ip6tables -P INPUT ACCEPT
        /sbin/ip6tables -P OUTPUT ACCEPT
        /sbin/ip6tables -P FORWARD ACCEPT
fi

On another hand, firewall-new.sh has a set of rules that match what I configured with the plesk firewall extension, preceded by a bash script (and I don't know how to read it):

Expand/Collapse Block

#!/bin/sh
### Copyright 1999-2017. Parallels IP Holdings GmbH. All Rights Reserved.

#!/bin/bash
#ATTENTION!
#
#DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
#SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

set -e

echo 0 > /proc/sys/net/ipv4/ip_forward
([ -f /var/lock/subsys/ipchains ] && /etc/init.d/ipchains stop) >/dev/null 2>&1
|| true
(rmmod ipchains) >/dev/null 2>&1 || true

apply_rule()
{
        iptables_bin="$1"
        shift

        iptables_version=`/sbin/iptables --version | awk -F '.' '{print $2$3}'`

        # Use the native --wait option since v1.4.20
        if [ $iptables_version -gt 420 ]; then
                $iptables_bin -w $@ 2>/dev/null
fi

        # Emulate --wait for elderly versions
        for i in `seq 10`; do
                $iptables_bin $@ 2>&1 | grep -q xtable || return 0
                sleep 1
        done

        return 1
}

/sbin/iptables-save  -t filter | grep -- "-A INPUT" |  grep -v "fail2ban-\|f2b-" | sed -e "s#^-A#apply_rule /sbin/iptables -D#g" | xargs -0 echo -e "`declare -f apply_rule`\n" | /bin/bash



apply_rule /sbin/iptables -F FORWARD
apply_rule /sbin/iptables -F OUTPUT
apply_rule /sbin/iptables -Z FORWARD
apply_rule /sbin/iptables -Z OUTPUT

apply_rule /sbin/iptables -P INPUT DROP
apply_rule /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/iptables -A INPUT -m state --state INVALID -j DROP
apply_rule /sbin/iptables -P OUTPUT DROP
apply_rule /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/iptables -A OUTPUT -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
apply_rule /sbin/iptables -P FORWARD DROP
apply_rule /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
apply_rule /sbin/iptables -A FORWARD -p tcp ! --syn  -m state --state NEW -j REJECT --reject-with tcp-reset
apply_rule /sbin/iptables -A FORWARD -m state --state INVALID -j DROP

apply_rule /sbin/iptables -A INPUT -i lo  -j ACCEPT
apply_rule /sbin/iptables -A OUTPUT -o lo -j ACCEPT
apply_rule /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT

apply_rule /sbin/iptables -t mangle -F
apply_rule /sbin/iptables -t mangle -Z
apply_rule /sbin/iptables -t mangle -P PREROUTING ACCEPT
apply_rule /sbin/iptables -t mangle -P OUTPUT ACCEPT
apply_rule /sbin/iptables -t mangle -P INPUT ACCEPT
apply_rule /sbin/iptables -t mangle -P FORWARD ACCEPT
apply_rule /sbin/iptables -t mangle -P POSTROUTING ACCEPT


apply_rule /sbin/iptables -t nat -F
apply_rule /sbin/iptables -t nat -Z
apply_rule /sbin/iptables -t nat -P PREROUTING ACCEPT
apply_rule /sbin/iptables -t nat -P OUTPUT ACCEPT
apply_rule /sbin/iptables -t nat -P POSTROUTING ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 8447 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 205 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 12443 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 11443 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 11444 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 8447 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -s 77.128.175.150 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 80 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -s 77.128.175.150 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 443 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 21 -s 77.128.175.150 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 21 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 22 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 587 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 25 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 465 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 110 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 995 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 143 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 993 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 106 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 3306 -s 127.0.0.1 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP

apply_rule /sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP

apply_rule /sbin/iptables -A INPUT -p udp --dport 137 -j DROP
apply_rule /sbin/iptables -A INPUT -p udp --dport 138 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
apply_rule /sbin/iptables -A INPUT -p tcp --dport 445 -j DROP

apply_rule /sbin/iptables -A INPUT -p udp --dport 1194 -j DROP

apply_rule /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT

apply_rule /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -s 151.80.118.11/32 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -s 167.114.37.0/24 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -s 77.128.175.150 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -s 92.222.184.0/24 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -s 92.222.185.0/24 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -s 92.222.186.0/24 -j ACCEPT
apply_rule /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j DROP

apply_rule /sbin/iptables -A INPUT -j DROP

apply_rule /sbin/iptables -A OUTPUT -j ACCEPT

apply_rule /sbin/iptables -A FORWARD -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward
#
# End of script
#

(ping rules are set to let OVH monitor the server) That support page doesn't give the location of plesk firewall logs, where should I look at?

Also it seems that I have trouble with let's encrypt extension (message: "Challenge marked as invalid. Could not connect to [mydomain.tld]" ) and with the updates and upgrades page (loading until time-out), could it be linked somehow? Like the modules that doesn't communicate with plesk core or whatever? I must precise I have both SELinux on permissive mode and Modsecurity (OWASP rules) on detection only mode.

EDIT:

As psa-firewall didn't seem to work well, I decided to stay with firewalld, but I forgot to disable the plesk firewall in the plesk admin panel, I just went with

service psa-firewall stop

and today, I realized all iptables rules have been flushed again.