Articles in this section

See more

How to manage local firewall rules using Plesk Firewall on a Plesk for Linux server

Avatar
Kuzma Ivanov
Updated
Follow
Plesk for Linux kb: auxiliary ABT: Group A

Applicable to:

  • Plesk for Linux

Question

How to manage local firewall rules using Plesk Firewall on a Plesk for Linux server?

Answer

Note: If Plesk Firewall is not installed, install it using the steps from this KB article.

 

Managing firewall rules via the Plesk interface

 

Go to Tools & Settings > Firewall > click Enable Firewall Rules Management > Enable. All predefined by Plesk rules that are required for Plesk functionality will be enabled.

Note: If a custom SSH port is used, after enabling Plesk Firewall it is required to add a rule for this custom SSH port to allow SSH connections. See the instructions below.


Screenshot_2018-10-10_Plesk_Onyx_17_8_11_4_.png

To add/remove/modify firewall rules, click Modify Plesk Firewall Rules.


Screenshot_2018-10-10_Plesk_Onyx_17_8_11.png

Below is an example of adding a rule that will allow connections to custom SSH port 2222.

  1. Click Add Custom Rule.


    Screenshot_2018-10-10_Plesk_Onyx_17_8_11_1_.png

  2. Fill in the fields and click OK:

    • Name of the rule: Custom SSH port
    • Match direction: Incoming
    • Action: Allow
    • Ports: TCP 2222
    • Sources: Specify IP addresses from which SSH connections will be allowed. In this example, SSH connections to a custom port are allowed from 203.0.113.2.


    Screenshot_2018-10-10_Plesk_Onyx_17_8_11_2_.png

  3. Click Apply Changes.


    Screenshot_2018-10-10_Plesk_Onyx_17_8_11_3_.png

 

Managing firewall rules via a command-line interface

 

Use the /usr/local/psa/bin/modules/firewall/settings utility to manage Plesk Firewall in a command-line interface.

For a complete list of available options, run this help command:

# /usr/local/psa/bin/modules/firewall/settings --help

 

Below is an example of enabling Plesk Firewall:

  1. Connect to a Plesk server via SSH in 2 separate SSH windows.

  2. On the SSH windows A, enable the firewall:

    # /usr/local/psa/bin/modules/firewall/settings -e

  3. On the SSH window B, confirm the changes within 60 seconds:

    # /usr/local/psa/bin/modules/firewall/settings --confirm

    All predefined by Plesk rules that are required for Plesk functionality will be enabled.

 

Below is an example of adding a new rule with the name "My rule" which will deny incoming connections from 203.0.113.2 on ports 2222/tcp, 2222/udp:

  1. Connect to a Plesk server via SSH in 2 separate SSH windows.

  2. On the SSH window A, create a new rule and apply it:

    # /usr/local/psa/bin/modules/firewall/settings -s -name 'My rule' -direction input -action deny -ports '2222/tcp,2222/udp' -remote-addresses "203.0.113.2"

    # /usr/local/psa/bin/modules/firewall/settings -a

  3. Back to the SSH window B, confirm the changes within 60 seconds:

    # /usr/local/psa/bin/modules/firewall/settings -c

 

Comments

9 comments

Sort by Date Votes
  • Avatar
    Sales

    Is it not possible to disable only 1 firewall rule?

    I have a large amount of blocked spammers ip's but recently switched to a paid DNSBL and would like to just deactivate the 1 rule for testing.

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hi @Sales,

    It's possible to delete the rule.

    To go Tools&Settings > FIrewall > Modify Plesk Firewall Rules, select the required rule and click Delete:

    Here is a short demonstration:

    https://cl.ly/3109cb028117

    0
    Comment actions Permalink
  • Avatar
    Sales

    Yes that is possible to delete but not disable. I was looking for a way to deactivate 1 rule temporarily for testing. Because it contains 300+ IP's I would have to add it back 1 ip at a time.  

    I made an extension that allows me to export the rules and then re import for testing.

    Thanks.

    0
    Comment actions Permalink
  • Avatar
    Usta

    Hi,

     

    This is for just one IP address.

    Is there any easy way to add file or hundred of IPs at one time there?

     

    Thanks in advance.

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Usta,

    Such functionality is yet to be implemented in Plesk.

    We have the following feature suggestion. Feel free to comment and vote for this feature. Most popular ones are likely to be implemented.

    Meanwhile, the required result may be achieved using iptables directly, for example: https://serverfault.com/questions/161401/how-to-allow-a-range-of-ips-with-iptables

    0
    Comment actions Permalink
  • Avatar
    Mehmet Yaldiz

    Can i also Import big IP ranges like this

    iptables -A INPUT -s 2.0.0.0/24 -j DROP
    iptables -A INPUT -s 2.0.1.0/24 -j DROP
    iptables -A INPUT -s 2.0.2.0/24 -j DROP
    iptables -A INPUT -s 2.0.3.0/24 -j DROP
    iptables -A INPUT -s 2.0.4.0/24 -j DROP
    iptables -A INPUT -s 2.0.5.0/24 -j DROP
    iptables -A INPUT -s 2.0.6.0/24 -j DROP

    over SSH when i have firewall on? I a looking for a solution to import Country IP range from countryipblocks.net

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Mehmet Yaldiz

    If you'll manually add these IP ranges, this will work but when the Plesk firewall will be configured, these rules may be wiped. 

    Please, vote for the functionality to be able to block IP ranges via the Plesk firewall here.

    0
    Comment actions Permalink
  • Avatar
    Sushil

    This is not worked for me - Connection attempt failed with "ETIMEDOUT - Connection attempt timed out".

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Sushil

    The only reason this happens is the traffic being blocked by some firewall. If that's not a firewall on the Plesk server, contact your ISP or server provider.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles