Netfilter bans itself when natting another outgoing ip

[Littlericket]

Hi,

to change the outgoing ip from the mailcow service, instead of using the host's outgoing ip, i've natted the mailcow subnet with iptables -t nat -I POSTROUTING -s 172.22.1.0/24 -j SNAT --to 136.243.102.XXX

This works as far as I can see, the containers talk with another outgoing IP adress (curl/wget www.myip.ch). Issue is now, that the netfilter logs show that he ban's himself:

Is there any chance to actually disable this behaviour for one IP / Subnet only except for disabling the netfilter completely?

      image: mailcow/unbound:1.1
      image: mariadb:10.2
      image: redis:alpine
      image: mailcow/clamd:1.9
      image: mailcow/rspamd:1.17
      image: mailcow/phpfpm:1.12
      image: mailcow/sogo:1.20
      image: mailcow/dovecot:1.24
      image: mailcow/postfix:1.14
      image: memcached:alpine
      image: nginx:mainline-alpine
      image: mailcow/acme:1.28
      image: mailcow/netfilter:1.12
      image: mailcow/watchdog:1.14
      image: mailcow/dockerapi:1.11
      image: robbertkl/ipv6nat

[Littlericket]

I havent seen the new option "SNAT_TO_SOURCE". My bad.

[andryyy]

:-) This is not an issue with this option anymore?

[Littlericket]

No. Works so far. I've natted the outgoing IP with iptables to extend the docker chain. I haven't checked mailcow.conf, since I needed that before the new option was available.

[Littlericket]

I have to reopen the issue. The netfilter is still banning the outgoing ip ...

[Littlericket]

Hi,

temporary fixed this by adding the SNAT IP to the netfilter whitelist. Maybe this should be persistent if the SNAT_TO_SOURCE is given?

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.