Resolved Plesk Firewall ip6tables

[Brujo]

Plesk Onyx - Version 17.5.3 Update #38
Ubuntu 16.04.3 LTS

usually I change on the Plesk firewall the "System policy for outgoing traffic - Allow all other outgoing traffic" from allow -> deny and allow only defined outgoing ports.

But on a new Ubuntu System as soon as I change the outgoing policy from "allow -> deny" and activate then the firewall in plesk, Services like ping, ftp from external stops and also access to websites (http & https) from external via ipv6. Ping, ftp and website access over ipv4 from external still works as expected. It seems ip6table blocks everything then from external.

the difference between allow / deny of the outgoing policy is only in the last line

ACCEPT all anywhere anywhere (ping and access from external works)
DROP all anywhere anywhere (ping and access from external not working)

the complete output of the not working ip6tables -L

Chain INPUT (policy DROP)
target     prot opt source               destination  
ACCEPT     all      anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp      anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP       all      anywhere             anywhere             state INVALID
ACCEPT     all      anywhere             anywhere    
ACCEPT     tcp      anywhere             anywhere             tcp dpt:ftps
DROP       tcp      anywhere             anywhere             tcp dpt:12443
DROP       tcp      anywhere             anywhere             tcp dpt:11443
DROP       tcp      anywhere             anywhere             tcp dpt:11444
ACCEPT     tcp      anywhere             anywhere             tcp dpt:8447
ACCEPT     tcp      anywhere             anywhere             tcp dpt:8443
ACCEPT     tcp      anywhere             anywhere             tcp dpt:8880
ACCEPT     tcp      anywhere             anywhere             tcp dpt:http
ACCEPT     tcp      anywhere             anywhere             tcp dpt:https
ACCEPT     tcp      anywhere             anywhere             tcp dpt:ftp
ACCEPT     tcp      anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp      anywhere             anywhere             tcp dpt:submission
ACCEPT     tcp      anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp      anywhere             anywhere             tcp dpt:urd
ACCEPT     tcp      anywhere             anywhere             tcp dpt:pop3
ACCEPT     tcp      anywhere             anywhere             tcp dpt:pop3s
ACCEPT     tcp      anywhere             anywhere             tcp dpt:imap2
ACCEPT     tcp      anywhere             anywhere             tcp dpt:imaps
ACCEPT     tcp      anywhere             anywhere             tcp dpt:poppassd
DROP       tcp      anywhere             anywhere             tcp dpt:mysql
DROP       tcp      anywhere             anywhere             tcp dpt:postgresql
DROP       tcp      anywhere             anywhere             tcp dpt:9008
DROP       tcp      anywhere             anywhere             tcp dpt:9080
DROP       udp      anywhere             anywhere             udp dpt:netbios-ns
DROP       udp      anywhere             anywhere             udp dpt:netbios-dgm
DROP       tcp      anywhere             anywhere             tcp dpt:netbios-ssn
DROP       tcp      anywhere             anywhere             tcp dpt:microsoft-ds
DROP       udp      anywhere             anywhere             udp dpt:eek:penvpn
ACCEPT     udp      anywhere             anywhere             udp dpt:domain
ACCEPT     tcp      anywhere             anywhere             tcp dpt:domain
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 134 code 0
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 135 code 0
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 136 code 0
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 137 code 0
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 128 code 0
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmptype 129 code 0
DROP       all      anywhere             anywhere    

Chain FORWARD (policy DROP)
target     prot opt source               destination  
ACCEPT     all      anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp      anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP       all      anywhere             anywhere             state INVALID
ACCEPT     all      anywhere             anywhere    
DROP       all      anywhere             anywhere    

Chain OUTPUT (policy DROP)
target     prot opt source               destination  
ACCEPT     all      anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     tcp      anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW reject-with tcp-reset
DROP       all      anywhere             anywhere             state INVALID
ACCEPT     all      anywhere             anywhere    
ACCEPT     tcp      anywhere             anywhere             tcp dpts:ftp-data:ssh
ACCEPT     tcp      anywhere             anywhere             tcp dpt:smtp
ACCEPT     tcp      anywhere             anywhere             tcp dpt:whois
ACCEPT     tcp      anywhere             anywhere             tcp dpt:domain
ACCEPT     udp      anywhere             anywhere             udp dpt:domain
ACCEPT     udp      anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp      anywhere             anywhere             tcp dpt:http
ACCEPT     udp      anywhere             anywhere             udp dpt:ntp
ACCEPT     tcp      anywhere             anywhere             tcp dpt:https
ACCEPT     tcp      anywhere             anywhere             tcp dpt:urd
DROP       all      anywhere             anywhere

any hint would be appreciated, or where to start to dig into the issue

 

[Zane901267]

Same problem on my CentOS 7 Server with Plesk Onyx Version 17.5.3 Update #39. I think I'll contact the Plesk support today about this issue.

 

[Brujo]

Same problem on my CentOS 7 Server with Plesk Onyx Version 17.5.3 Update #39. I think I'll contact the Plesk support today about this issue.

did you got it solved and like to share?

 

[speedbird]

Hm... I think the ruleset may be false here.. you allow incoming icmp for example but don't allow it outgoing so of course the server doesn't respond.

Same goes for ftp / http .... you allow the basic ports but I think especially ftp requires also ports in the high range, linke 30k-35k to function properly. Also I don't know for sure but since nginx is used for proxy purposes, port 7080 also needs to be allowed to transfer data and that is also missing. Seems to me your rules are just not right.

 

[Zane901267]

as speedbird mentioned before, the problem is that the block all outgiung traffic rule blocks the icmp rules for IPv6. Plesk Support suggested me to define some rules manually because they can't defined over the Plesk firewall configuration.


Adding the rules manually to ip6tables:

1. We remove the existing drop rule:
# ip6tables -D OUTPUT -j DROP

2. We add the new rules to allow ipv6-icmp
# ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 133 -j ACCEPT
# ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 134 -j ACCEPT
# ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 135 -j ACCEPT
# ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 136 -j ACCEPT
# ip6tables -A OUTPUT -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j ACCEPT
# ip6tables -A OUTPUT -j DROP

3. Save the new rules
#ip6tables-save

Unfortunately, the rules will be overwritten as soon as you change the firewall configuration through Plesk or when you reboot the server. I think this can be solved with some scripts and a cronjob or something...

 

[Zane901267]

Okay, Plesk support created a kb article for this problem:
IPv6 traffic doesn't work anymore after set System policy for outgoing traffic to Deny: No route to host.

Also, A Plesk bug with id #PPPM-7959 has been opened and should fixed by an update soon.

 

[Brujo]

thank you all for discussion and for sharing your suggestions.

Well the KB Article is a good starting point will try