On Plesk for Linux server, deny rules set up in Plesk Firewall do not block connections to Docker container

Symptoms

• Plesk Firewall is enabled on the server.

• Docker container is created and mapped to some port (for example, a Redis contained with port mapping 6379 -> 6379).

• Deny rules (for incoming, outgoing, forwarding) created in Plesk Firewall do not block connections to port 6379 from outside.

Cause

According to Docker documentation, Docker installs two custom iptables chains named DOCKER-USER and DOCKER, and it ensures that incoming packets are always checked by these two chains first. However, Plesk Firewall cannot make any changes in these chains.

There is an internal request with ID PPPM-9222 to improve Plesk Firewall in one of the future Plesk updates.

Resolution

As a workaround, add the following rule into iptables manually, remove Plesk firewall extension and, until the fix be available, manage firewall rules manually:

Note: Examples below are provided for IPv4. To manipulate with IPv6 firewall rules ip6tables, ip6tables-save, ip6tables-restore should be used.

1. Connect to the server using SSH.

2. Add the rule to the DOCKER-USER chain, which is checked first in FORWARD:

   To deny access from the public network without exceptions

   # iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport <DOCKER_CONTAINER_PORT> -j DROP

   Where <DOCKER_CONTAINER_PORT> should be replaced with the appropriate container port number. For example:

   # iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport 6379 -j DROP

   To deny access from the public network except specific IP addresses:

   # iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport <DOCKER_CONTAINER_PORT> -j DROP
   # iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport <DOCKER_CONTAINER_PORT> -s <ALLOWED_IPS> -j ACCEPT

   Where <DOCKER_CONTAINER_PORT> should be replaced with the appropriate container port number and <ALLOWED_IPS> should be replaced with the appropriate IP addresses. For example:

   # iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport 6379 -j DROP
   # iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport 6379 -s 203.0.113.2,192.0.2.2 -j ACCEPT

3. Remove Firewall extension by referring to this article

   Warning: Disable Firewall rules management in Plesk Firewall will remove all existing firewall rules.

4. Save the iptables rules to the file system as follows:

   CentOS/RHEL-based distributions

   1. Connect to the server via SSH

   2. Run the following to save firewall rules and load them on server startup:

      # service iptables save
      Saving firewall rules to /etc/sysconfig/iptables: [ OK ]

      # service ip6tables save
      Saving firewall rules to /etc/sysconfig/ip6table[ OK ]

   Debian/Ubuntu-based distributions

   1. Connect to the server via SSH

   2. Install the iptables-persistent package to load firewall rules on server startup:

      # apt-get install iptables-persistent

   3. Save rules to the filesystem

      # netfilter-persistent save