Plesk 360 login
Free Trial

Knowledge Base

On Plesk for Linux server, deny rules set up in Plesk Firewall do not block connections to Docker container

 
applications extensionscentosdebiandockerfirewall

Symptoms

  • Plesk Firewall is enabled on the server.

  • Docker container is created and mapped to some port (for example, a Redis contained with port mapping 6379 -> 6379).

  • Deny rules (for incoming, outgoing, forwarding) created in Plesk Firewall do not block connections to port 6379 from outside.

Cause

According to Docker documentation, Docker installs two custom iptables chains named DOCKER-USER and DOCKER, and it ensures that incoming packets are always checked by these two chains first. However, Plesk Firewall cannot make any changes in these chains.

There is an internal request with ID PPPM-9222 to improve Plesk Firewall in one of the future Plesk updates.

Resolution

As a workaround, add the following rule into iptables manually, remove Plesk firewall extension and, until the fix be available, manage firewall rules manually:

Note: Examples below are provided for IPv4. To manipulate with IPv6 firewall rules ip6tables, ip6tables-save, ip6tables-restore should be used.

  1. Connect to the server using SSH.

  2. Add the rule to the DOCKER-USER chain, which is checked first in FORWARD:

    To deny access from the public network without exceptions

    # iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport <DOCKER_CONTAINER_PORT> -j DROP

    Where <DOCKER_CONTAINER_PORT> should be replaced with the appropriate container port number. For example:

    # iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport 6379 -j DROP

    To deny access from the public network except specific IP addresses:

    # iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport <DOCKER_CONTAINER_PORT> -j DROP
    # iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport <DOCKER_CONTAINER_PORT> -s <ALLOWED_IPS> -j ACCEPT

    Where <DOCKER_CONTAINER_PORT> should be replaced with the appropriate container port number and <ALLOWED_IPS> should be replaced with the appropriate IP addresses. For example:

    # iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport 6379 -j DROP
    # iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport 6379 -s 203.0.113.2,192.0.2.2 -j ACCEPT

  3. Remove Firewall extension by referring to this article

    Warning: Disable Firewall rules management in Plesk Firewall will remove all existing firewall rules.

  4. Save the iptables rules to the file system as follows:

    CentOS/RHEL-based distributions

    1. Connect to the server via SSH

    2. Run the following to save firewall rules and load them on server startup:

      # service iptables save
      Saving firewall rules to /etc/sysconfig/iptables: [ OK ]

      # service ip6tables save
      Saving firewall rules to /etc/sysconfig/ip6table[ OK ]

    Debian/Ubuntu-based distributions

    1. Connect to the server via SSH

    2. Install the iptables-persistent package to load firewall rules on server startup:

      # apt-get install iptables-persistent

    3. Save rules to the filesystem

      # netfilter-persistent save

Read the full article
Related Posts
Knowledge Base

Hosting Wiki

Install On Plesk for Linux server, deny rules set up in Plesk Firewall do not block connections to Docker container extension

Hostname or IP or URL of your Plesk instance: