Applicable to:
- Plesk for Linux
Symptoms
-
Plesk Firewall is enabled on the server.
-
Docker container is created and mapped to some port (for example, a Redis contained with port mapping 6379 -> 6379).
-
Deny rules (for incoming, outgoing, forwarding) created in Plesk Firewall do not block connections to port 6379 from outside.
Cause
According to Docker documentation, Docker installs two custom iptables chains named DOCKER-USER and DOCKER, and it ensures that incoming packets are always checked by these two chains first. However, Plesk Firewall cannot make any changes in these chains. There is an internal request with ID PPPM-9222 to improve Plesk Firewall in one of the future Plesk updates.
Resolution
As a workaround, add the following rule into iptables manually, remove Plesk firewall extension and, until the fix will not be available, manage firewall rules manually:
Note: Examples below are provided for IPv4. To manipulate with IPv6 firewall rules ip6tables, ip6tables-save, ip6tables-restore should be used.
-
Connect to the server using SSH.
-
Add the rule to the
DOCKER-USERchain, which is checked very first inFORWARD:-
To deny access from the public network without exceptions
# iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport <DOCKER_CONTAINER_PORT> -j DROP
Where
<DOCKER_CONTAINER_PORT>should be replaced with the appropriate container port number. For example:# iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport 6379 -j DROP
-
To deny access from the public network except specific IP addresses:
# iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport <DOCKER_CONTAINER_PORT> -j DROP
# iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport <DOCKER_CONTAINER_PORT> -s <ALLOWED_IPS> -j ACCEPTWhere
<DOCKER_CONTAINER_PORT>should be replaced with the appropriate container port number and<ALLOWED_IPS>should be replaced with the appropriate IP addresses. For example:# iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport 6379 -j DROP
# iptables -I DOCKER-USER -d 172.17.0.2 -p tcp --dport 6379 -s 203.0.113.2,192.0.2.2 -j ACCEPT
-
-
Remove Firewall extension by referring to this article
Warning: Disable Firewall rules management in Plesk Firewall will remove all existing firewall rules.
-
Save the iptables rules to the file system:
-
Connect to the server via SSH
-
Run the following to save firewall rules and load them on server startup:
# service iptables save
Saving firewall rules to /etc/sysconfig/iptables: [ OK ]# service ip6tables save
Saving firewall rules to /etc/sysconfig/ip6table[ OK ]
-
Connect to the server via SSH
-
Install the
iptables-persistentpackage to load firewall rules on server startup:# apt-get install iptables-persistent
-
Save rules to the filesystem
# netfilter-persistent save
Comments
29 comments
Can confirm that on Plesk Onyx 17.8.11 Update #35 the Problem occurs. The iptables should not be changed via shell since it is overwritten like mentioned in the Preview function.
Is there any other way to deny Docker managed ports from external access?
Hi @Francis,
Have you tried to add the rule for precise block of specific docker port via Plesk Firewall?
Try it out and let me know in case it works.
Hi @Alexandr
How do we add this to Plesk Firewall? I tried, it doesn't seems to work
Hello @Dumith,
Detailed instruction on how to use Plesk firewall may be found here.
Please note that the issue from this article is still not resolved. So in case you have faced this issue, you will need to use the workaround from the article (SSH access will be required).
Hi,
How can we make this permanent for now? Tried Plesk Firewall. Its not working.
Every time Plesk Panel Updates/Restarts or Server restarts, Port 6379 become open. Huge problem as hackers attacks on Redis. Many servers running Redis
Thank you.
Hello @Dumith,
>> How can we make this permanent for now? Tried Plesk Firewall. Its not working.
Until bug is fixed, currently there is no permanent solution in Plesk Firewall. It is necessary to add firewall rules into iptables manually as described in workaround.
Iptables resets to default settings after server reboot. Here is examples on how to save iptables rules permanently for different OS'es:
CentOS 7 - https://serverfault.com/questions/626521/centos-7-save-iptables-settings
For Debian/Ubuntu - https://www.thomas-krenn.com/en/wiki/Saving_Iptables_Firewall_Rules_Permanently
It also seems to restart docker or at least the containers every time you apply the firewall rules. This bug can result in big security issues without continuous and proper attention, it should be solved/hotfixed immediately.
@Imre,
I believe it is not needed to restart the container. The issue is inside iptables module only. Docker Forward rules are placed higher than Plesk firewall's rules and the following occurs:
1. A request comes to port 6379
2. Forward rule is executed
3. The request go further according to this rule and totally ignores the Drop rule which is located after forward rule
.So, restart of the container does not make influence in that case.
The bug already has Major priority and we are working on the fix. Please follow this article to be notified once the fix become available. Until that, please use the workaround described in the article.
I meant that whenever I apply new rules to the Plesk firewall Docker is restarted automatically, every container I have restarts except for the ones that do not have the --restart=always option, and I have several containers that are not autostarted, which means that I have to manually start those containers every time I change firewall rules.
@Imre Szalai
Thank you for the clarification! I suppose you've hit the bug from the following article:
https://support.plesk.com/hc/en-us/articles/360000515754-Docker-loses-the-connection-when-Plesk-Firewall-rules-were-modified
It is being investigated by our development team, so the fix should become available in the next updates. Please follow this article to receive a notification when the bug is fixed.
Hi,
I'm the one inform Plesk team about this bug on Sep 5, 2018. I was expecting to Plesk to take immediate action as there will be many Plesk users affected by this bug but still no.
https://talk.plesk.com/threads/docker-redis-and-plesk-firewall.349395/
Hello @Priyan A,
Thank you for the feedback. Indeed, Plesk Development team was concentrated on other more critical bugs and new functionality.
There is no exact ETA for the bug in question but it is planned to be fixed in one future Plesk releases.
Until a fix becomes available, please, use the workaround from this article.
Hi @Ivan Postnikov,
Problem with this workaround is, it does NOT explain to the user that the Port will be re-open almost every time Plesk updates or restart the server.
Hello @Priyan A,
Thank you for pointing on that matter.
In order to avoid losing rules after iptables restart, it is required to save the rules:
https://support.plesk.com/hc/en-us/articles/213404549-Firewall-rules-disappeared-after-restarting-iptables
I added the additional step to the resolution.
https://talk.plesk.com/threads/plesk-docker-redis-plesk-firewall-open-port-issue.352324/
Any updates on this issue?
Hello @Priyan A,
Thank you for your input!
We really appreciate it.
Hello @Nils,
Thank you for your question.
There is no exact ETA for the bug in question but it is planned to be fixed in one future Plesk releases.
Please subscribe to the article to be notified when the bug will be fixed.
Hi @Nils
I have solved this issue by binding the Redis Docker to the Localhost.
Please follow my instruction in above URL I posted.
I managed to solve issue after a long search
Run docker daemon with argument --iptables=false then docker will not be append a self rules into firewall. This implies, that only your custom rules are created via PSA-firewall can manage a traffic.
Hi @Vladimir Pereskokov,
Thank you for sharing your resolution!
I am sure other users will find it useful!
The solution from @Priyan A is working. After a server restart, too.
Hi @Vladimir Pereskokov,
Thank you for sharing your solution!
I didn't find how to pass arguments to the Docker daemon.
Is it possible to pass some arguments when starting a Docker container via Plesk ?
Thanks in advance for any suggestion.
HI @Marc Druilhe
You need to have admin permissions and pass arguments to docker daemon with a systemd unit into exec line like that:
ExecStart=/usr/bin/dockerd --iptables=false -H fd:// --containerd=/run/containerd/containerd.sock
or
append iptables:false into /etc/docker/daemon.json
Hi Vladimir Pereskokov
Thanks a lot for your help. It just worked fine for me !
For Plesk/linux dummies like me, I just :
1. stopped Docker (stopped all container, then run : service docker stop)
2. edited /etc/systemd/system/docker.service as per Vladimir's advice.
3. Restarted Docker : service docker start
Vladimir Pereskokov
Thanks! This was my first experience with Docker and was shocked that it by default edits the iptables..
I have created the /etc/docker/daemon.json file with:
And then restarted the docker serviceThis prevented docker for recreating the iptables rules.For people who are not that experienced you find the docker iptables rules with the following command
And you can delete them by using linenumbers for example@JorgB you're welcome)
But I want you to notice the command:
It will be work untill first reboot and then all default iptables rules will restored. For avoid it you need to save current iptables configuration (e.g. iptables-save > iptables-config.txt.) and restore them during startup ( iptables-restore < iptables-config.txt )
and you need to keep in mind, that iptables will display rules only from Filter table by default. In order to display other table use commands bellow
For example:
iptables --list DOCKER -t mangle
iptables --list DOCKER -t nat
...
I think changing daemon.json is not an acceptable solution. At the moment I prefer to use the rules of iptables like:
iptables -I DOCKER-USER -i eth0 -j DROP
iptables -I DOCKER-USER -i eth0 -s <ip1>,<ip2>,<ip3>,<ip4> -j ACCEPT
as proposed by Docker.
When the plesk firewall allows adding rules in any iptables chain, the problem will be solved.
Please sign in to leave a comment.