Question Plesk Firewall is blocking requests even with configured rules

[Johnny9977]

Server operating system version

Ubuntu 22.04

Plesk version and microupdate number

18.0.64

I've recently installed a WireGuard VPN on my Plesk server running Ubuntu 22.04: WireGuard VPN Server mit Web Interface einrichten - adminForge

After installing and configuring a new client, I've connected to the VPN and the handshake was successful. I was able to open any page running on the server but not able to visit e.g. google.de. This made me thinking it can be the firewall which causes some issues here. So I've went to the Plesk Firewall rules page and added 3 new rules:

1) Allow incoming UDP port 51820
2) Allow incoming from 10.252.1.0/24 at all ports
3) Allow outgoing from 10.252.1.0/24 at all ports

After applying the rules, I was able to visit Google. Now, I've restarted the server and connected to the VPN again. After this action, I was unable to open Google again. So I've disabled the Firewall and it worked. I've enabled it again and it still worked. So somehow, my custom rules are not applied after restarting the server. This is very strange.

Any advice?

 

[Johnny9977]

It looks like that my PostUp and PostDown scripts are not getting set correctly from WireGuard:

PostUp: iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE
PostDown: iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp3s0 -j MASQUERADE

 

[Johnny9977]

I've found the cause. It's really frustrating how bad the Plesk Firewall GUI is! This thing gives you 0.0 % chance to configure a technical complex rule e.g. defining in and out parameters.

So the issue is that the Plesk Firewall creates a Shell Script which overwrites the existing rules. Also, the rule from WireGuard:

11       5   320 ACCEPT     all  --  wg0    *       0.0.0.0/0            0.0.0.0/0

This rule is normally setup during the initial start of the WireGuard server. To fix this issue, I've created 4 new entries inside the Plesk Event Manager:



The ones with prio 100 are restarting the WireGuard service to re-add the rule after the Firewall got updated. But this caused a new issue. Since the rules are handled in order, the WireGuard rule was below the general DROP rule:

12       0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

So the DROP rule catched all the requests. To fix this, I've created a little Shell script which re-arranges the DROP rule and also configured 2 more events. To create the new script, I've used this command:

nano /etc/wireguard/reorder-fw-rules.sh

After this I've added this code:

#!/bin/sh

sleep 15s

# Define the DROP rule pattern
DROP_RULE="DROP.*0.0.0.0/0"

# Retrieve the last line number for the DROP rule
drop_rule_line=$(iptables -L FORWARD -v -n --line-numbers | grep -E "$DROP_RULE" | awk '{print $1}' | tail -n 1)

# Debugging output
echo "DROP rule found at line: $drop_rule_line"

# Check if the DROP rule is found and is a valid number
if [ -n "$drop_rule_line" ] && echo "$drop_rule_line" | grep -qE '^[0-9]+$'; then
    echo "Removing the DROP rule..."

    # Remove the DROP rule
    iptables -D FORWARD "$drop_rule_line"

    echo "Re-adding the DROP rule..."

    # Re-add the DROP rule
    iptables -A FORWARD -j DROP

    echo "DROP rule has been removed and re-added successfully."
else
    echo "DROP rule not found or invalid line number. Please check your iptables configuration."
fi

Finally, I've made the script executable:

chmod +x reorder-fw-rules.sh

So at every Firewall change, the service gets restarted and the drop rule re-ordered. This is a very ugly solution but when Plesk don't gives me the correct tools to manage my Firewall the way I need it, I need to go for solutions like this. This maybe also works for Docker or any other service.