Remove psa-firewall and use iptables in OS

[Michael MacDonald]

I want to remove the psa-firewall and use iptables within the OS. I am trying to get the Plesk server to meet PCI standards and am thinking that using iptables within the Redhat OS will allow me to block any and all ports I don't want advertised. I do not seem to be able to block 8443 using the Plesk firewall. I would like to block 8443 except for certain IP addresses.

I need to make sure that I can remove psa-firewall and then start iptables service. right now, I am not able to start iptables - even with psa-firewall shut down.

Please advise.

Thank you.

 

[IgorG]

Maybe you will just wait 9.5.0 release?

http://download1.parallels.com/Plesk/Panel9.5/plesk-9.5.0-for-rpm-based-os.html#20

PCI Compliance — Parallels Plesk Panel can be made compliant with the Payment Card Industry Data Security Standard. This can be achieved by running a special PCI compliance resolver utility and additional tuning of system components, as described in the document Achieving PCI Compliance for Servers Managed by Parallels Plesk Panel 9.5. The document is available at http://download1.parallels.com/Plesk/Panel9.5/Doc/en-US/plesk-9.5-pci-compliance-guide/.

 

[Michael MacDonald]

I like what I read about 9.5 but I don't want to wait. Also almost without fail, every time I upgrade Plesk there is a problem. Sometimes there are BIG problems. Are you saying there is no way to remove the psa-firewall module and use iptables from the OS? I would like to do this.

 

[IgorG]

What is the problem? For example:

# rpm -qa | grep firewall
psa-firewall-1.0.1-cos5.build93091230.06

# rpm -e psa-firewall-1.0.1-cos5.build93091230.06

# /etc/init.d/iptables stop
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter nat [ OK ]
Unloading iptables modules: [ OK ]

# /etc/init.d/iptables start
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: mangle filter nat [ OK ]
Unloading iptables modules: [ OK ]

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

 

[Michael MacDonald]

Worked perfectly. Now able to pass PCI. Thank you.

 

[Frater]

I did it like this on Debian/Ubuntu

# save current firewall
iptables-save >/etc/iptables.rules
# remove plesk's firewall module
aptitude remove psa-firewall

# create iptables-startup script
echo '#!/bin/sh' >/etc/network/if-up.d/iptables
echo 'iptables-restore </etc/iptables.rules' >>/etc/network/if-up.d/iptables
chmod +x /etc/network/if-up.d/iptables

Your firewall script can then be edited using 'vi' in /etc/iptables.rules

 

[Frater]

I just recently did it on a CentOS server. It's a bit different because that distribution already has its firewall more or less configured

# cd /etc/sysconfig
# iptables-save                             # check if you are really running a firewall now
# cp -p iptables iptables.org                  # save the original OS firewall (for documentation)
# iptables-save >iptables.plesk                    # save the firewall as it's currently running..    
# iptables-save >iptables                              # save it again to the one we will be using

# chkconfig iptables on                                 # re-enable the OS firewall module
         

# rpm -qa | grep firewall                                                # find out the name of the Plesk firewall module
psa-firewall-10.13.4-cos5.build1013111102.18

# rpm -e psa-firewall-10.13.4-cos5.build1013111102.18       # erase the plesk firewall module
# /etc/init.d/iptables start                                              # Start the firewall
# iptables-save                                                             # check if it is working...