Applicable to:
- Plesk for Linux
Symptoms
-
Plesk Firewall is enabled on the server.
-
Docker container is created and mapped to some port (for example, a Redis contained with port mapping 6379 -> 6379).
-
Deny rules (for incoming, outgoing, forwarding) created in Plesk Firewall do not block connections to port 6379 from outside.
Cause
According to Docker documentation, Docker installs two custom iptables chains named DOCKER-USER
and DOCKER
, and it ensures that incoming packets are always checked by these two chains first. However, Plesk Firewall cannot make any changes in these chains.
There is an internal request with ID PPPM-9222 to improve Plesk Firewall in one of the future Plesk updates.
Resolution
As a workaround, add the following rule into iptables manually, remove Plesk firewall extension and, until the fix be available, manage firewall rules manually:
Note: Examples below are provided for IPv4. To manipulate with IPv6 firewall rules ip6tables
, ip6tables-save
, ip6tables-restore
should be used.
-
Connect to the server using SSH.
-
Add the rule to the
DOCKER-USER
chain, which is checked first inFORWARD
:To deny access from the public network without exceptions# iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport <DOCKER_CONTAINER_PORT> -j DROP
Where
<DOCKER_CONTAINER_PORT>
should be replaced with the appropriate container port number. For example:# iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport 6379 -j DROP
To deny access from the public network except specific IP addresses:# iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport <DOCKER_CONTAINER_PORT> -j DROP
# iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport <DOCKER_CONTAINER_PORT> -s <ALLOWED_IPS> -j ACCEPTWhere
<DOCKER_CONTAINER_PORT>
should be replaced with the appropriate container port number and<ALLOWED_IPS>
should be replaced with the appropriate IP addresses. For example:# iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport 6379 -j DROP
# iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport 6379 -s 203.0.113.2,192.0.2.2 -j ACCEPT -
Remove Firewall extension by referring to this article
Warning: Disable Firewall rules management in Plesk Firewall will remove all existing firewall rules.
-
Save the iptables rules to the file system as follows:
CentOS/RHEL-based distributions-
Connect to the server via SSH
-
Run the following to save firewall rules and load them on server startup:
# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]# service ip6tables save
Saving firewall rules to /etc/sysconfig/ip6table[ OK ]
Debian/Ubuntu-based distributions-
Connect to the server via SSH
-
Install the
iptables-persistent
package to load firewall rules on server startup:# apt-get install iptables-persistent
-
Save rules to the filesystem
# netfilter-persistent save
-
Comments
2 comments
Workaround would be to bind the Docker Container to Localhost as explained here. That example by WebHostingAce shows how to bind Redis to accept only local connections. It would still be nice if Plesk Firewall could be used instead, but this workaround is very nice.
Redis example from here:
This is not a helpful solution, I don't want to delete firewall extension :/
Either you must give an appropriate solution or work on PPPM-9222.
Please sign in to leave a comment.