Applicable to:
- Plesk for Linux
Question
How to manage local firewall rules on a Plesk for Linux server?
Answer
Note: If Plesk Firewall is not installed, install it according to this KB article.
Go to Tools & Settings > Firewall > click Enable Firewall Rules Management > Enable. All predefined by Plesk rules that are required for Plesk functionality will be enabled.
Note: If a custom SSH port is used, after enabling Plesk Firewall it is required to add a rule for this custom SSH port to allow SSH connections. See the instructions below.
To add/remove/modify firewall rules, click Modify Plesk Firewall Rules.
Below is an example of adding a rule that will allow connections to custom SSH port 2222.
-
Click Add Custom Rule.
-
Fill in the fields and click OK:
- Name of the rule: Custom SSH port
- Match direction: Incoming
- Action: Allow
- Ports: TCP 2222
- Sources: Specify IP addresses from which SSH connections will be allowed. In this example, SSH connections to a custom port are allowed from 203.0.113.2.
-
Click Apply Changes.
-
Connect to a Plesk server via SSH.
-
Run the commands below to add rules to the firewall configuration. Below is an example of adding rules to allow/forbid ports 8443 and 8880:
For SystemV-based OSes and SystemD where firewalld is disabled
-
To allow connections to ports:
# iptables -I INPUT -p tcp --dport 8443 -m state --state NEW -j ACCEPT
# iptables -I INPUT -p tcp --dport 8880 -m state --state NEW -j ACCEPT -
To forbid connections to ports:
# iptables -I INPUT -p tcp -s 203.0.113.2 --dport 8443 -j DROP
# iptables -I INPUT -p tcp -s 203.0.113.2 --dport 8880 -j DROP -
To save the changes, run:
# service iptables save
Note: If it does not work for your OS, try the next one.
For SystemD-based OSes where firewalld is enabled
-
-
To allow connections to ports:
# firewall-cmd --zone=public --permanent --add-port=8443/tcp
# firewall-cmd --zone=public --permanent --add-port=8880/tcp -
To forbid connections to ports:
# firewall-cmd --zone=public --permanent source address='203.0.113.2' port protocol='tcp' port='8880' reject
# firewall-cmd --zone=public --permanent source address='203.0.113.2' port protocol='tcp' port='8443' reject -
To save the changes, run:
# firewall-cmd --reload
Comments
5 comments
Is it not possible to disable only 1 firewall rule?
I have a large amount of blocked spammers ip's but recently switched to a paid DNSBL and would like to just deactivate the 1 rule for testing.
Hi @Sales,
It's possible to delete the rule.
To go Tools&Settings > FIrewall > Modify Plesk Firewall Rules, select the required rule and click Delete:
Here is a short demonstration:
https://cl.ly/3109cb028117
Yes that is possible to delete but not disable. I was looking for a way to deactivate 1 rule temporarily for testing. Because it contains 300+ IP's I would have to add it back 1 ip at a time.
I made an extension that allows me to export the rules and then re import for testing.
Thanks.
Hi,
This is for just one IP address.
Is there any easy way to add file or hundred of IPs at one time there?
Thanks in advance.
Hello @Usta,
Such functionality is yet to be implemented in Plesk.
We have the following feature suggestion. Feel free to comment and vote for this feature. Most popular ones are likely to be implemented.
Meanwhile, the required result may be achieved using iptables directly, for example: https://serverfault.com/questions/161401/how-to-allow-a-range-of-ips-with-iptables
Please sign in to leave a comment.