Plesk Firewall deny rules do not block connections to Docker container

Follow

Comments

28 comments

  • Avatar
    Francis

    Can confirm that on Plesk Onyx 17.8.11 Update #35 the Problem occurs. The iptables should not be changed via shell since it is overwritten like mentioned in the Preview function.
    Is there any other way to deny Docker managed ports from external access?

    1
    Comment actions Permalink
  • Avatar
    Alexandr Redikultsev

    Hi @Francis,

    Have you tried to add the rule for precise block of specific docker port via Plesk Firewall?

    Try it out and let me know in case it works.

    0
    Comment actions Permalink
  • Avatar
    Dumith

    Hi @Alexandr

     

    How do we add this to Plesk Firewall? I tried, it doesn't seems to work

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Dumith,

    Detailed instruction on how to use Plesk firewall may be found here

    Please note that the issue from this article is still not resolved. So in case you have faced this issue, you will need to use the workaround from the article (SSH access will be required).

    0
    Comment actions Permalink
  • Avatar
    Dumith (Edited )

    Hi,
    How can we make this permanent for now? Tried Plesk Firewall. Its not working.

    Every time Plesk Panel Updates/Restarts or Server restarts, Port 6379 become open. Huge problem as hackers attacks on Redis. Many servers running Redis

    Thank you.

    0
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Dumith,

    >> How can we make this permanent for now? Tried Plesk Firewall. Its not working.
    Until bug is fixed, currently there is no permanent solution in Plesk Firewall. It is necessary to add firewall rules into iptables manually as described in workaround.

    Iptables resets to default settings after server reboot. Here is examples on how to save iptables rules permanently for different OS'es:
    CentOS 7 - https://serverfault.com/questions/626521/centos-7-save-iptables-settings
    For Debian/Ubuntu - https://www.thomas-krenn.com/en/wiki/Saving_Iptables_Firewall_Rules_Permanently

    0
    Comment actions Permalink
  • Avatar
    Imre Szalai

    It also seems to restart docker or at least the containers every time you apply the firewall rules. This bug can result in big security issues without continuous and proper attention, it should be solved/hotfixed immediately.

    1
    Comment actions Permalink
  • Avatar
    Konstantin Annikov

    @Imre, 

    I believe it is not needed to restart the container. The issue is inside iptables module only. Docker Forward rules are placed higher than Plesk firewall's rules and the following occurs:

    1. A request comes to port 6379
    2. Forward rule is executed
    3. The request go further according to this rule and totally ignores the Drop rule which is located after forward rule

    .So, restart of the container does not make influence in that case. 

    The bug already has Major priority and we are working on the fix. Please follow this article to be notified once the fix become available. Until that, please use the workaround described in the article. 

    2
    Comment actions Permalink
  • Avatar
    Imre Szalai

    I meant that whenever I apply new rules to the Plesk firewall Docker is restarted automatically, every container I have restarts except for the ones that do not have the --restart=always option, and I have several containers that are not autostarted, which means that I have to manually start those containers every time I change firewall rules.

    0
    Comment actions Permalink
  • Avatar
    Alisa Kasyanova

    @Imre Szalai
    Thank you for the clarification! I suppose you've hit the bug from the following article:
    https://support.plesk.com/hc/en-us/articles/360000515754-Docker-loses-the-connection-when-Plesk-Firewall-rules-were-modified
    It is being investigated by our development team, so the fix should become available in the next updates. Please follow this article to receive a notification when the bug is fixed.

    1
    Comment actions Permalink
  • Avatar
    Priyan A

    Hi,

    I'm the one inform Plesk team about this bug on Sep 5, 2018. I was expecting to Plesk to take immediate action as there will be many Plesk users affected by this bug but still no.

    1
    Comment actions Permalink
  • Avatar
    Ivan Postnikov

    Hello @Priyan A,

    Thank you for the feedback. Indeed, Plesk Development team was concentrated on other more critical bugs and new functionality. 

    There is no exact ETA for the bug in question but it is planned to be fixed in one future Plesk releases.

    Until a fix becomes available, please, use the workaround from this article.

    -2
    Comment actions Permalink
  • Avatar
    Priyan A

    Hi @Ivan Postnikov,

    Problem with this workaround is, it does NOT explain to the user that the Port will be re-open almost every time Plesk updates or restart the server.

    1
    Comment actions Permalink
  • Avatar
    Vladimir Chernikov

    Hello @Priyan A,

    Thank you for pointing on that matter.

    In order to avoid losing rules after iptables restart, it is required to save the rules:
    https://support.plesk.com/hc/en-us/articles/213404549-Firewall-rules-disappeared-after-restarting-iptables 

    I added the additional step to the resolution.

    0
    Comment actions Permalink
  • Avatar
    Nils

    Any updates on this issue?

    0
    Comment actions Permalink
  • Avatar
    Daria Gavrilova

    Hello @Priyan A,

    Thank you for your input!
    We really appreciate it.

    0
    Comment actions Permalink
  • Avatar
    Daria Gavrilova

    Hello @Nils,

    Thank you for your question.

    There is no exact ETA for the bug in question but it is planned to be fixed in one future Plesk releases.
    Please subscribe to the article to be notified when the bug will be fixed.

    2
    Comment actions Permalink
  • Avatar
    Priyan A

    Hi @Nils

    I have solved this issue by binding the Redis Docker to the Localhost.

    Please follow my instruction in above URL I posted.

    0
    Comment actions Permalink
  • Avatar
    Vladimir Pereskokov

    I managed to solve issue after a long search

    Run docker daemon with argument --iptables=false then docker will not be append a self rules into firewall. This implies, that only your custom rules are created via PSA-firewall can manage a traffic.

    0
    Comment actions Permalink
  • Avatar
    Nikita Nikushkin

    Hi @Vladimir Pereskokov,

    Thank you for sharing your resolution!

    I am sure other users will find it useful!

    0
    Comment actions Permalink
  • Avatar
    Nils

    The solution from @Priyan A is working. After a server restart, too.

    0
    Comment actions Permalink
  • Avatar
    Marc Druilhe

    Hi @Vladimir Pereskokov,

    Thank you for sharing your solution!

    I didn't find how to pass arguments to the Docker daemon.

    Is it possible to pass some arguments when starting a Docker container via Plesk ?

    Thanks in advance for any suggestion.

     

     

     

    0
    Comment actions Permalink
  • Avatar
    Vladimir Pereskokov

    HI @Marc Druilhe

    You need to have admin permissions and pass arguments to docker daemon with a systemd unit into exec line like that:

    ExecStart=/usr/bin/dockerd --iptables=false -H fd:// --containerd=/run/containerd/containerd.sock

    or

    append  iptables:false into  /etc/docker/daemon.json

    0
    Comment actions Permalink
  • Avatar
    Marc Druilhe

    Hi Vladimir Pereskokov

    Thanks a lot for your help. It just worked fine for me !

    For Plesk/linux dummies like me, I just :

    1. stopped Docker (stopped all container, then run : service docker stop)

    2. edited /etc/systemd/system/docker.service as per Vladimir's advice.

    3. Restarted Docker : service docker start

     

     

     

    0
    Comment actions Permalink
  • Avatar
    JorgB

    Vladimir Pereskokov

     

    Thanks! This was my first experience with Docker and was shocked that it by default edits the iptables.. 

    I have created the /etc/docker/daemon.json file with:

    {
      "iptables" : false
    }

    And then restarted the docker service

    service docker restart

    This prevented docker for recreating the iptables rules.

    For people who are not that experienced you find the docker iptables rules with the following command

    iptables --list DOCKER

    And you can delete them by using linenumbers for example

    iptables -D DOCKER 1

    1
    Comment actions Permalink
  • Avatar
    Vladimir Pereskokov (Edited )

    @JorgB you're welcome)

    But I want you to notice the command:

    iptables -D DOCKER 1

    It will be work untill first reboot and then all default iptables rules will restored. For avoid it you need to save current iptables configuration (e.g. iptables-save > iptables-config.txt.) and restore them during startup ( iptables-restore < iptables-config.txt )

    and you need to keep in mind, that iptables will display rules only from Filter table by default. In order to display other table use commands bellow

    For example:

    iptables --list DOCKER -t mangle

    iptables --list DOCKER -t nat

    ...

     

     

    0
    Comment actions Permalink

Please sign in to leave a comment.

Have more questions? Submit a request