How to manage local firewall rules using Plesk Firewall in Plesk for Linux

Follow

Comments

14 comments

  • Avatar
    Sales

    Is it not possible to disable only 1 firewall rule?

    I have a large amount of blocked spammers ip's but recently switched to a paid DNSBL and would like to just deactivate the 1 rule for testing.

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hi @Sales,

    It's possible to delete the rule.

    To go Tools&Settings > FIrewall > Modify Plesk Firewall Rules, select the required rule and click Delete:

    Here is a short demonstration:

    https://cl.ly/3109cb028117

    0
    Comment actions Permalink
  • Avatar
    Sales

    Yes that is possible to delete but not disable. I was looking for a way to deactivate 1 rule temporarily for testing. Because it contains 300+ IP's I would have to add it back 1 ip at a time.  

    I made an extension that allows me to export the rules and then re import for testing.

    Thanks.

    0
    Comment actions Permalink
  • Avatar
    Usta

    Hi,

     

    This is for just one IP address.

    Is there any easy way to add file or hundred of IPs at one time there?

     

    Thanks in advance.

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Usta,

    Such functionality is yet to be implemented in Plesk.

    We have the following feature suggestion. Feel free to comment and vote for this feature. Most popular ones are likely to be implemented.

    Meanwhile, the required result may be achieved using iptables directly, for example: https://serverfault.com/questions/161401/how-to-allow-a-range-of-ips-with-iptables

    0
    Comment actions Permalink
  • Avatar
    Mehmet Yaldiz

    Can i also Import big IP ranges like this

    iptables -A INPUT -s 2.0.0.0/24 -j DROP
    iptables -A INPUT -s 2.0.1.0/24 -j DROP
    iptables -A INPUT -s 2.0.2.0/24 -j DROP
    iptables -A INPUT -s 2.0.3.0/24 -j DROP
    iptables -A INPUT -s 2.0.4.0/24 -j DROP
    iptables -A INPUT -s 2.0.5.0/24 -j DROP
    iptables -A INPUT -s 2.0.6.0/24 -j DROP

    over SSH when i have firewall on? I a looking for a solution to import Country IP range from countryipblocks.net

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Mehmet Yaldiz

    If you'll manually add these IP ranges, this will work but when the Plesk firewall will be configured, these rules may be wiped. 

    Please, vote for the functionality to be able to block IP ranges via the Plesk firewall here.

    0
    Comment actions Permalink
  • Avatar
    Sushil

    This is not worked for me - Connection attempt failed with "ETIMEDOUT - Connection attempt timed out".

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello Sushil

    The only reason this happens is the traffic being blocked by some firewall. If that's not a firewall on the Plesk server, contact your ISP or server provider.

    0
    Comment actions Permalink
  • Avatar
    My Domain Labs

    So, apparently, this thing still is not capable of managing multiple IP addresses... and the more I am trying to advance my infrastructure the more I am noticing how much i might really just need to move on to another panel... especially with the kind of support I have been getting lately, and I'm paying for this support! you have a bunch or 1-month old rookies out there calling themselves engineers.... absolutely horrible

    0
    Comment actions Permalink
  • Avatar
    Websavers Inc

    For the folks asking how to add IPs en masse, you can fork and modify our helper script here to help you do this: https://github.com/websavers/Plesk-Firewall-CLI-Helper

    We'll gladly accept pull requests for functionality like this. I believe the Plesk firewall command should accept a CSV of IPs to block or allow.

    0
    Comment actions Permalink
  • Avatar
    Ericbeck

    There is an easier way to do this, and thanyou Plesk for maintaining iptables in CentOS 8!  It means I can use the same ipset system I have set up in CentOS 7.

    Install ipsets.  Create your set, for me it's easy because the ipset is for blocking the bad actors from all ports.

    Unlike normal iptables chains, which are stored and traversed linearly, IP sets are stored in indexed data structures, making lookups very efficient, even when dealing with large sets

    ipset create setname nethash maxelem 200000 (I ran out of room in my first ipset, so created another one this time with 500000 max elements)

    so then you just add elements to your set.  You can write a shell script to add large numbers of IP addresses at once, like, 

    #!/bin/bash

    FILE=mylist

    while read line; do

      /path/to/ipset add setname $line

    done < $FILE

    Now you have a large number of IPs

    Now just have a script that runs to insert the ipset into the plesk firewall iptables.  If you are running fail2ban you have to run a checking script too, because any time you restart/reload the plesk firewall, it will destroy your ipset rule.

    #!/bin/bash

    /usr/sbin/iptables -I INPUT -m set --match-set setname src -j DROP

    So for me, because I run fail2ban, there is always a jail active, when you run iptables -nL there is always a f2b line third from the top

    Example:

    Chain INPUT (policy DROP)
    target prot opt source destination
    f2b-recidive tcp -- 0.0.0.0/0 0.0.0.0/0

    So I have a script running every 5 minutes making sure it doesn't look like that, because I want my rule above the f2b #1 rule (if you don't, then the firewall skips to the f2b part and bypasses your DROP line.  Your DROP rule must be first, so iptables -nL looks like this: (in this example the fb2-recidive rule just happens to be the first rule exampled.

    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP all -- 0.0.0.0/0 0.0.0.0/0 match-set setname src  <--- this is what you want -- first rule
    f2b-recidive tcp -- 0.0.0.0/0 0.0.0.0/0

    ......

    So every 5 minutes the script runs to check to make sure f2b isn't in the 3rd line.  If it is, then the script to run the iptables insert the ipset is run, or you could put the line in the same script.  I just prefer them separate.The script also emails us, since we want to know when there has been an occurrence of this so we can double check the firewall.

    You can do a lot of things with this IPSET setup to really cut down on hackers and spam.  I have nailed down all the bad actions from dovecot and postfix and have scripts running every 15 minutes grepping the log files for the known issues, then for production reasons, after ips are extracted, they are run through some other filtering and then the resulting list of IP addresses is automatically added to the ipset every 15 minutes.  I have found it's a really good solution to hackers and spammers.   There's a lot you can do with it with some creative scripting.

    Hope this helps someone.

    0
    Comment actions Permalink
  • Avatar
    Ericbeck

    actually the line here:

    /path/to/ipset add setname $line

    should read

    /path/to/ipset add setname $line -exist

    which tells ipset to add the IP address if it doesn't exist in the set. (no error reporting then, trying to add things that are alreay there)

    Forgot to mention to, if you're using 

    ipset create mysetname nethash maxelem 200000

    (or your number of elements)

    IPsets will take CIDR notation, so you can have elemnts like

    111.222.222.111

    or 

    111.222.222.0/24

    or 

    111.222.0.0/16 or whatever

    it doesn't have to be single IP addresses

    0
    Comment actions Permalink
  • Avatar
    Andrew Paterson (Edited )

    When I am using the Plesk Obsidian interface I can set up a new rule to block an IP Address, but there is no way of editing the rule, or removing it. The tick box next to the rule name is not active, although the green tick icon is so I can change that to a grey cross, so cannot tick it and then do remove - although it is possible to do this for the rules that were set up by default.  When I go in to the rule I can just view the existing list of ip addresses, there is an OK button, but that's useless because I can't edit anything.

    Any ideas what is wrong?

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request