How to configure Plesk Firewall rules on Linux
Learn to manage Plesk's built-in firewall, create custom rules, and secure your server against unauthorized access using the Plesk Control Panel.
You will learn how to manage the built-in firewall directly from the Plesk Control Panel to control incoming traffic and block malicious IPs. These steps apply to Plesk Obsidian 18.x running on AlmaLinux 9, Rocky Linux 9, Ubuntu 24.04, or Debian 12.
Prerequisites
- Access to the Plesk Control Panel (admin or reseller account).
- A Linux server running Plesk Obsidian 18.x or newer.
- Root or an account with Plesk Administrator privileges.
- A static IP address or a specific IP to block (if configuring a block rule).
Step 1: Access the Firewall Settings
Log in to your Plesk Control Panel and navigate to the Tools & Settings section to locate the firewall management interface. Click on the Firewall item to open the main configuration page where you can view active rules and add new ones.
Tools & Settings > FirewallYou will see a list of current rules on the left side of the interface. The right side displays the active status and the source IP ranges allowed or denied.
Step 2: Add a New Allow Rule
Click the Add rule button to create a new entry for a specific service or IP range. Select the protocol (TCP or UDP) and the port number you wish to open, such as port 80 for HTTP or 443 for HTTPS.
Choose whether to allow traffic from all sources or restrict it to a specific IP address or subnet. Enter the source IP address in the Source IP field if you want to limit access to a single client.
Protocol: TCP
Port: 80
Source IP: 0.0.0.0/0 (Allow all) or 192.168.1.5/32 (Specific IP)Click Save to apply the changes. The rule will immediately appear in the list of active firewall entries.
Step 3: Add a Block Rule for Malicious IPs
To block a specific IP address that is attempting unauthorized access, click the Add rule button again. Select the Deny option from the action dropdown menu to drop incoming packets from that source.
Enter the IP address of the attacker or the malicious botnet source in the Source IP field. Ensure you select the correct protocol and port if you only want to block specific traffic types.
Action: Deny
Protocol: TCP
Port: All
Source IP: 45.33.32.156/32Save the configuration. Plesk will automatically update the iptables or firewalld backend to drop packets matching this rule.
Step 4: Configure Port Forwarding
If you need to forward traffic from an external IP to an internal service, click the Add rule button and select Port Forwarding. Specify the external port and the internal port you want to redirect.
Set the destination IP to the local server IP where the service is running. This is useful for running a local development server or a specific application behind the main web server.
External Port: 8080
Internal Port: 80
Destination IP: 127.0.0.1Save the rule. Traffic arriving on port 8080 will now be redirected to port 80 on the local machine.
Step 5: Manage Default Policies
Review the default policy settings at the top of the firewall page. Ensure that the default policy for incoming connections is set to Deny to follow the principle of least privilege.
Click the Edit button next to the Incoming connections policy to change the default behavior. Set it to Deny if you want to block all traffic unless explicitly allowed by a rule.
Save the changes. This step is critical for hardening the server against unknown threats.
Verify the installation
Open a new terminal session on the server and use the command line to check if the firewall rules are active. Run the following command to list the current iptables rules:
sudo iptables -L -nYou will see a list of chains and rules. Look for the INPUT chain and verify that the ports you configured in Plesk appear in the rule list. If the rules are missing, check the Plesk service status with systemctl status plesk-firewall.
Troubleshooting
Error: "Rule not applied to iptables"
If you create a rule in Plesk but it does not appear in the iptables output, check the Plesk service status. Run systemctl status plesk-firewall to see if the service is active. Restart the service with systemctl restart plesk-firewall if necessary.
Error: "Port still blocked after adding allow rule" Ensure the default policy is set to Deny. If the default policy is Accept, new rules might be ignored. Verify the default policy in the Plesk Firewall settings and restart the service after making changes.
Error: "Cannot block IP address" Check if the IP address is a loopback address or a reserved range. Plesk may ignore rules for invalid IP formats. Also, ensure the IP is not part of the trusted network range configured in the Plesk installation.
Firewall not starting automatically
If the firewall service fails to start on boot, check the systemd unit file. Run systemctl enable plesk-firewall to ensure the service starts automatically after a reboot. Verify the dependency on the network service is configured correctly.
Rule priority issues Plesk applies rules in the order they are listed. If a Deny rule appears after an Allow rule for the same port, the Allow rule will take precedence. Reorder the rules in the Plesk interface to ensure Deny rules for specific IPs appear before general Allow rules.
Checking logs for blocked connections
To see which IPs were blocked by your rules, check the system logs. Run journalctl -u plesk-firewall -f to watch the logs in real time. Look for entries indicating dropped packets or connection resets.