Applicable to:
- Plesk for Linux
Question
How to manage firewall rules on a Plesk for Linux server?
Answer
Note: If Plesk Firewall is not installed, install it according to this KB article.
Go to Tools & Settings > Firewall > click Enable Firewall Rules Management > Enable. All predefined by Plesk rules that are required for Plesk functionality will be enabled.
Note: If a custom SSH port is used, after enabling Plesk Firewall it is required to add a rule for this custom SSH port to allow SSH connections. See the instructions below.
To enable/disable/modify firewall rules, click Modify Plesk Firewall Rules.
Below is an example of adding a rule that will allow connections to custom SSH port 2222.
-
Click Add Custom Rule.
-
Fill in the fields and click OK:
- Name of the rule: Custom SSH port
- Match direction: Incoming
- Action: Allow
- Ports: TCP 2222
- Sources: Specify IP addresses from which SSH connections will be allowed. In this example, SSH connections to a custom port are allowed from 203.0.113.2.
-
Click Apply Changes.
-
Connect to a Plesk server via SSH.
-
Run the commands below to add rules to the firewall configuration. Below is an example of adding rules to allow/forbid ports 8443 and 8880:
For SystemV-based OSes and SystemD where firewalld is disabled
-
To allow connections to ports:
# iptables -I INPUT -p tcp --dport 8443 -m state --state NEW -j ACCEPT
# iptables -I INPUT -p tcp --dport 8880 -m state --state NEW -j ACCEPT -
To forbid connections to ports:
# iptables -I INPUT -p tcp -s 203.0.113.2 --dport 8443 -j DROP
# iptables -I INPUT -p tcp -s 203.0.113.2 --dport 8880 -j DROP -
To save the changes, run:
# service iptables save
Note: If it does not work for your OS, try the next one.
For SystemD-based OSes where firewalld is enabled
-
-
To allow connections to ports:
# firewall-cmd --zone=public --permanent --add-port=8443/tcp
# firewall-cmd --zone=public --permanent --add-port=8880/tcp -
To forbid connections to ports:
# firewall-cmd --zone=public --permanent source address='203.0.113.2' port protocol='tcp' port='8880' reject
# firewall-cmd --zone=public --permanent source address='203.0.113.2' port protocol='tcp' port='8443' reject -
To save the changes, run:
# firewall-cmd --reload
Comments
3 comments
Is it not possible to disable only 1 firewall rule?
I have a large amount of blocked spammers ip's but recently switched to a paid DNSBL and would like to just deactivate the 1 rule for testing.
Hi @Sales,
It's possible to delete the rule.
To go Tools&Settings > FIrewall > Modify Plesk Firewall Rules, select the required rule and click Delete:
Here is a short demonstration:
https://cl.ly/3109cb028117
Yes that is possible to delete but not disable. I was looking for a way to deactivate 1 rule temporarily for testing. Because it contains 300+ IP's I would have to add it back 1 ip at a time.
I made an extension that allows me to export the rules and then re import for testing.
Thanks.
Please sign in to leave a comment.