Articles in this section

On Plesk for Linux server, deny rules set up in Plesk Firewall do not block connections to Docker container

Sergey Senko
Updated
kb: bug Plesk for Linux ABT: Group A

Applicable to:

  • Plesk for Linux

Symptoms

  • Plesk Firewall is enabled on the server.

  • Docker container is created and mapped to some port (for example, a Redis contained with port mapping 6379 -> 6379).

  • Deny rules (for incoming, outgoing, forwarding) created in Plesk Firewall do not block connections to port 6379 from outside.

Cause

According to Docker documentation, Docker installs two custom iptables chains named DOCKER-USER and DOCKER, and it ensures that incoming packets are always checked by these two chains first. However, Plesk Firewall cannot make any changes in these chains.

There is an internal request with ID PPPM-9222 to improve Plesk Firewall in one of the future Plesk updates.

Resolution

As a workaround, add the following rule into iptables manually, remove Plesk firewall extension and, until the fix be available, manage firewall rules manually:

Note: Examples below are provided for IPv4. To manipulate with IPv6 firewall rules ip6tables, ip6tables-save, ip6tables-restore should be used.

  1. Connect to the server using SSH.

  2. Add the rule to the DOCKER-USER chain, which is checked first in FORWARD:

    To deny access from the public network without exceptions

    # iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport <DOCKER_CONTAINER_PORT> -j DROP

    Where <DOCKER_CONTAINER_PORT> should be replaced with the appropriate container port number. For example:

    # iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport 6379 -j DROP

    To deny access from the public network except specific IP addresses:

    # iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport <DOCKER_CONTAINER_PORT> -j DROP
    # iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport <DOCKER_CONTAINER_PORT> -s <ALLOWED_IPS> -j ACCEPT

    Where <DOCKER_CONTAINER_PORT> should be replaced with the appropriate container port number and <ALLOWED_IPS> should be replaced with the appropriate IP addresses. For example:

    # iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport 6379 -j DROP
    # iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport 6379 -s 203.0.113.2,192.0.2.2 -j ACCEPT

  3. Remove Firewall extension by referring to this article

    Warning: Disable Firewall rules management in Plesk Firewall will remove all existing firewall rules.

  4. Save the iptables rules to the file system as follows:

    CentOS/RHEL-based distributions

    1. Connect to the server via SSH

    2. Run the following to save firewall rules and load them on server startup:

      # service iptables save
      Saving firewall rules to /etc/sysconfig/iptables: [ OK ]

      # service ip6tables save
      Saving firewall rules to /etc/sysconfig/ip6table[ OK ]

    Debian/Ubuntu-based distributions

    1. Connect to the server via SSH

    2. Install the iptables-persistent package to load firewall rules on server startup:

      # apt-get install iptables-persistent

    3. Save rules to the filesystem

      # netfilter-persistent save

Was this article helpful?

Comments

2 comments
Date Votes
  • Avatar
    Saša Španović

    Workaround would be to bind the Docker Container to Localhost as explained here. That example by WebHostingAce shows how to bind Redis to accept only local connections. It would still be nice if Plesk Firewall could be used instead, but this workaround is very nice.

    Redis example from here:

    1. Search for Redis Docker in Docker Image Catalog Then Click Run.

    2. In the Next Step 'Run redis', Press Cancel

    3. Login to SSH as Root then Run
    Code:
    docker run --name=redis -p 127.0.0.1:6379:6379 redis

    4. Press CTRL + C to Exit.

    5. In the Plesk Panel Click on Docker again. Now you will see the Redis Docker is not Running.

    6. In Redis Docker, go to Settings and Tick 'Automatic start after system reboot' > 'Ok' > 'Start'

    Now the Redis Docker will be Bind to Localhost and the Port 6379 will not be accessible externally.

     

     

    -1
  • Avatar
    attention-required

    This is not a helpful solution, I don't want to delete firewall extension :/

    Either you must give an appropriate solution or work on PPPM-9222.

    1

Please sign in to leave a comment.