MAILCOW target is in position 2 in the ip input table, restarting container to fix it...

[Dexus]

Contribution guidelines

• [X] I've read the contribution guidelines and wholeheartedly agree

I've found a bug and checked that ...

• [X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
• [X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
• [X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
• [X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

Problem is that we have a blacklist in front of all other INPUT chains, because of that the container get restarted all the time...

Logs:

netfilter-mailcow-1  | MAILCOW target is in position 2 in the ip input table, restarting container to fix it...
netfilter-mailcow-1  | # Warning: table ip filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | # Warning: table ip nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | # Warning: table ip6 filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | # Warning: table ip6 nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | Using NFTables backend
netfilter-mailcow-1  | Clearing all bans
netfilter-mailcow-1  | Initializing mailcow netfilter chain
netfilter-mailcow-1  | Setting MAILCOW isolation
netfilter-mailcow-1  | Watching Redis channel F2B_CHANNEL
netfilter-mailcow-1  | Blacklist was changed, it has 1 entries
netfilter-mailcow-1  | Whitelist was changed, it has 3 entries
netfilter-mailcow-1  | Added host/network 123.456.789.012/24 to blacklist
netfilter-mailcow-1  | MAILCOW target is in position 2 in the ip input table, restarting container to fix it...
netfilter-mailcow-1  | # Warning: table ip filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | # Warning: table ip nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | # Warning: table ip6 filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | # Warning: table ip6 nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | Using NFTables backend
netfilter-mailcow-1  | Clearing all bans
netfilter-mailcow-1  | Initializing mailcow netfilter chain
netfilter-mailcow-1  | Setting MAILCOW isolation
netfilter-mailcow-1  | Watching Redis channel F2B_CHANNEL
netfilter-mailcow-1  | Blacklist was changed, it has 1 entries
netfilter-mailcow-1  | Whitelist was changed, it has 3 entriesAdded host/network 123.456.789.012/24 to blacklist
netfilter-mailcow-1  |
netfilter-mailcow-1  | MAILCOW target is in position 2 in the ip input table, restarting container to fix it...
netfilter-mailcow-1  | # Warning: table ip filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | # Warning: table ip nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | # Warning: table ip6 filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | # Warning: table ip6 nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | Using NFTables backend
netfilter-mailcow-1  | Clearing all bans
netfilter-mailcow-1  | Initializing mailcow netfilter chain
netfilter-mailcow-1  | Setting MAILCOW isolation
netfilter-mailcow-1  | Watching Redis channel F2B_CHANNEL
netfilter-mailcow-1  | Blacklist was changed, it has 1 entries
netfilter-mailcow-1  | Whitelist was changed, it has 3 entries
netfilter-mailcow-1  | Added host/network 123.456.789.012/24 to blacklist
netfilter-mailcow-1  | MAILCOW target is in position 2 in the ip input table, restarting container to fix it...
netfilter-mailcow-1  | # Warning: table ip filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | # Warning: table ip nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | # Warning: table ip6 filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | # Warning: table ip6 nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | Using NFTables backend
netfilter-mailcow-1  | Clearing all bans
netfilter-mailcow-1  | Initializing mailcow netfilter chain
netfilter-mailcow-1  | Setting MAILCOW isolation
netfilter-mailcow-1  | Watching Redis channel F2B_CHANNEL
netfilter-mailcow-1  | Blacklist was changed, it has 1 entries
netfilter-mailcow-1  | Added host/network 123.456.789.012/24 to blacklist
netfilter-mailcow-1  | Whitelist was changed, it has 3 entries

Steps to reproduce:

Use a Blacklist like crowdsec or ufw or whatever which sets drop on pos 1

Which branch are you using?

master

Which architecture are you using?

x86

Operating System:

Ubuntu 22.04 LTS

Server/VM specifications:

8GB / 2CPU

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

KVM

Docker version:

25.0.5

docker-compose version or docker compose version:

v2.25.0

mailcow version:

2024-02

Reverse proxy:

Nginx

Logs of git diff:

git diff origin/master
diff --git a/data/Dockerfiles/netfilter/Dockerfile b/data/Dockerfiles/netfilter/Dockerfile
index 8a561f06..d9f3cf7e 100644
--- a/data/Dockerfiles/netfilter/Dockerfile
+++ b/data/Dockerfiles/netfilter/Dockerfile
@@ -26,6 +26,7 @@ RUN apk add --virtual .build-deps \
 && pip3 install --ignore-installed --upgrade pip \
   jsonschema \
   python-iptables \
+  requests \
   redis \
   ipaddress \
   dnspython \
diff --git a/data/Dockerfiles/netfilter/main.py b/data/Dockerfiles/netfilter/main.py
index c3ca379c..22264150 100644
--- a/data/Dockerfiles/netfilter/main.py
+++ b/data/Dockerfiles/netfilter/main.py
@@ -7,6 +7,7 @@ import time
 import atexit
 import signal
 import ipaddress
+import requests^M
 from collections import Counter
 from random import randint
 from threading import Thread
@@ -158,6 +159,101 @@ def ban(address):
         tables.banIPv6(net)

     r.hset('F2B_ACTIVE_BANS', '%s' % net, cur_time + NET_BAN_TIME)
+    ^M
+    ^M
+    NETBAN_IPV4 = '/' + str(29)^M
+    NETBAN_IPV6 = '/' + str(112)^M
+    net2 = ipaddress.ip_network((address + (NETBAN_IPV4 if type(ip) is ipaddress.IPv4Address else NETBAN_IPV6)), strict=False)^M
+    for sIP in net2.hosts():^M
+      # String holding parameters to pass in json format^M
+      params = {^M
+          'ip':sIP,^M
+          'categories':'11,18,20,21,22',^M
+          'comment':'Attack on multipe Ports and Login'^M
+      }^M
+      response = requests.request(method='POST', url=abusedbip_url, headers=abusedbip_headers, params=params)^M
+      ^M
+      # Formatted output^M
+      decodedResponse = json.loads(response.text)^M
+      print(json.dumps(decodedResponse, sort_keys=True, indent=4))^M
+  else:^M
+    logWarn('%d more attempts in the next %d seconds until %s is banned' % (MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net))^M
+^M
+def ban2(address):^M
+  global lock^M
+  refreshF2boptions()^M
+  BAN_TIME = int(14400)^M
+  BAN_TIME_INCREMENT = bool(True)^M
+  MAX_ATTEMPTS = int(15)^M
+  RETRY_WINDOW = int(14400)^M
+  NETBAN_IPV4 = '/' + str(24)^M
+  NETBAN_IPV6 = '/' + str(64)^M
+^M
+  ip = ipaddress.ip_address(address)^M
+  if type(ip) is ipaddress.IPv6Address and ip.ipv4_mapped:^M
+    ip = ip.ipv4_mapped^M
+    address = str(ip)^M
+  if ip.is_private or ip.is_loopback:^M
+    return^M
+^M
+  self_network = ipaddress.ip_network(address)^M
+^M
+  with lock:^M
+    temp_whitelist = set(WHITELIST)^M
+^M
+  if temp_whitelist:^M
+    for wl_key in temp_whitelist:^M
+      wl_net = ipaddress.ip_network(wl_key, False)^M
+      if wl_net.overlaps(self_network):^M
+        logInfo('Address %s is whitelisted by rule %s' % (self_network, wl_net))^M
+        return^M
+^M
+  net = ipaddress.ip_network((address + (NETBAN_IPV4 if type(ip) is ipaddress.IPv4Address else NETBAN_IPV6)), strict=False)^M
+  net = str(net)^M
+^M
+  if not net in bans:^M
+    bans[net] = {'attempts': 0, 'last_attempt': 0, 'ban_counter': 0}^M
+^M
+  bans[net]['attempts'] += 1^M
+  bans[net]['last_attempt'] = time.time()^M
+^M
+  if bans[net]['attempts'] >= MAX_ATTEMPTS:^M
+    cur_time = int(round(time.time()))^M
+    NET_BAN_TIME = BAN_TIME if not BAN_TIME_INCREMENT else BAN_TIME * 2 ** bans[net]['ban_counter']^M
+    logCrit('Banning %s for %d minutes' % (net, NET_BAN_TIME / 60 ))^M
+    if type(ip) is ipaddress.IPv4Address:^M
+      with lock:^M
+        chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'MAILCOW')^M
+        rule = iptc.Rule()^M
+        rule.src = net^M
+        target = iptc.Target(rule, "REJECT")^M
+        rule.target = target^M
+        if rule not in chain.rules:^M
+          chain.insert_rule(rule)^M
+    else:^M
+      with lock:^M
+        chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), 'MAILCOW')^M
+        rule = iptc.Rule6()^M
+        rule.src = net^M
+        target = iptc.Target(rule, "REJECT")^M
+        rule.target = target^M
+        if rule not in chain.rules:^M
+          chain.insert_rule(rule)^M
+    r.hset('F2B_ACTIVE_BANS', '%s' % net, cur_time + NET_BAN_TIME)^M
+    ^M
+    net2 = ipaddress.ip_network((address + (NETBAN_IPV4 if type(ip) is ipaddress.IPv4Address else NETBAN_IPV6)), strict=False)^M
+    for sIP in net2.hosts():^M
+      # String holding parameters to pass in json format^M
+      params = {^M
+          'ip':sIP,^M
+          'categories':'11,18,20,21,22',^M
+          'comment':'Attack on multipe Ports and Login'^M
+      }^M
+      response = requests.request(method='POST', url=abusedbip_url, headers=abusedbip_headers, params=params)^M
+      ^M
+      # Formatted output^M
+      decodedResponse = json.loads(response.text)^M
+      print(json.dumps(decodedResponse, sort_keys=True, indent=4))^M
   else:
     logger.logWarn('%d more attempts in the next %d seconds until %s is banned' % (MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net))

@@ -250,6 +346,7 @@ def watch():
                 continue
               logger.logWarn('%s matched rule id %s (%s)' % (addr, rule_id, item['data']))
               ban(addr)
+              ban2(addr)^M
     except Exception as ex:
       logger.logWarn('Error reading log line from pubsub: %s' % ex)
       pubsub = None

Logs of iptables -L -vn:

Chain INPUT (policy ACCEPT 9776 packets, 9442K bytes)
 pkts bytes target     prot opt in     out     source               destination
  166  9556 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set crowdsec-blacklists src
 9803 9443K MAILCOW    all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
   36  1725 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ipsum src
 9776 9442K MAILCOW    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
33092 7214K MAILCOW    all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
33092 7214K DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
33092 7214K DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
33092 7214K MAILCOW    all  --  *      *       0.0.0.0/0            0.0.0.0/0
27892 6752K ACCEPT     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 2580  168K DOCKER     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
 2620  294K ACCEPT     all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
 2561  167K ACCEPT     all  --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 12000 packets, 9491K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
    5   268 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    6   360 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.8           tcp dpt:443
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.11          tcp dpt:8983
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.12          tcp dpt:3306
    6   300 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.8           tcp dpt:80
    2   128 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
 2620  294K DOCKER-ISOLATION-STAGE-2  all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
33092 7214K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
 2620  294K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
33092 7214K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MAILCOW (4 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0            /* mailcow isolation */
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0
    0     0 DROP       all  --  *      *       46.148.40.0/24       0.0.0.0/0

Logs of ip6tables -L -vn:

Chain INPUT (policy ACCEPT 1428 packets, 199K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all      *      *       ::/0                 ::/0                 match-set crowdsec6-blacklists src
 1414  198K MAILCOW    all      *      *       ::/0                 ::/0                 /* mailcow */
 1428  199K MAILCOW    all      *      *       ::/0                 ::/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
12563 9751K MAILCOW    all      *      *       ::/0                 ::/0                 /* mailcow */
12620 9756K DOCKER-USER  all      *      *       ::/0                 ::/0
12620 9756K DOCKER-ISOLATION-STAGE-1  all      *      *       ::/0                 ::/0
    0     0 ACCEPT     all      *      docker0  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all      *      docker0  ::/0                 ::/0
    0     0 ACCEPT     all      docker0 !docker0  ::/0                 ::/0
    0     0 ACCEPT     all      docker0 docker0  ::/0                 ::/0
12620 9756K MAILCOW    all      *      *       ::/0                 ::/0
 6377 8959K ACCEPT     all      *      br-mailcow  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
 3982  268K DOCKER     all      *      br-mailcow  ::/0                 ::/0
 2261  529K ACCEPT     all      br-mailcow !br-mailcow  ::/0                 ::/0
 3950  265K ACCEPT     all      br-mailcow br-mailcow  ::/0                 ::/0

Chain OUTPUT (policy ACCEPT 1408 packets, 172K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::4  tcp dpt:587
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::4  tcp dpt:465
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::4  tcp dpt:25
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:4190
    5   384 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::c  tcp dpt:443
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:995
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::c  tcp dpt:80
   27  2184 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:993
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:143
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:110

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all      docker0 !docker0  ::/0                 ::/0
 2261  529K DOCKER-ISOLATION-STAGE-2  all      br-mailcow !br-mailcow  ::/0                 ::/0
12620 9756K RETURN     all      *      *       ::/0                 ::/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all      *      docker0  ::/0                 ::/0
    0     0 DROP       all      *      br-mailcow  ::/0                 ::/0
 2261  529K RETURN     all      *      *       ::/0                 ::/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
12620 9756K RETURN     all      *      *       ::/0                 ::/0

Chain MAILCOW (4 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of iptables -L -vn -t nat:

# $: nft list ruleset

table ip nat {
        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
                fib daddr type local counter packets 427 bytes 23533 jump DOCKER
        }

        chain INPUT {
                type nat hook input priority 100; policy accept;
        }

        chain OUTPUT {
                type nat hook output priority -100; policy accept;
                ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                ip saddr 172.22.1.0/24 ip daddr != 172.22.1.0/24 counter packets 1834 bytes 139362 snat to 123.456.789.012 comment "mailcow"
                oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
                ip saddr 172.22.1.0/24 ip daddr != 172.22.1.0/24  counter packets 68 bytes 4884 snat to 123.456.789.012
                oifname != "br-mailcow" ip saddr 172.22.1.0/24 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.22.1.2 ip daddr 172.22.1.2 tcp dport 443 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.22.1.2 ip daddr 172.22.1.2 tcp dport 80 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.22.1.4 ip daddr 172.22.1.4 tcp dport 8983 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.22.1.253 ip daddr 172.22.1.253 tcp dport 587 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.22.1.253 ip daddr 172.22.1.253 tcp dport 465 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.22.1.253 ip daddr 172.22.1.253 tcp dport 25 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.22.1.250 ip daddr 172.22.1.250 tcp dport 12345 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.22.1.250 ip daddr 172.22.1.250 tcp dport 4190 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.22.1.250 ip daddr 172.22.1.250 tcp dport 995 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.22.1.11 ip daddr 172.22.1.11 tcp dport 3306 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.22.1.250 ip daddr 172.22.1.250 tcp dport 993 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.22.1.250 ip daddr 172.22.1.250 tcp dport 143 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.22.1.249 ip daddr 172.22.1.249 tcp dport 6379 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.22.1.250 ip daddr 172.22.1.250 tcp dport 110 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.22.1.8 ip daddr 172.22.1.8 tcp dport 443 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.22.1.11 ip daddr 172.22.1.11 tcp dport 8983 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.22.1.12 ip daddr 172.22.1.12 tcp dport 3306 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip saddr 172.22.1.8 ip daddr 172.22.1.8 tcp dport 80 counter packets 0 bytes 0 masquerade
        }

        chain DOCKER {
                iifname "docker0" counter packets 0 bytes 0 return
                iifname "br-mailcow" counter packets 0 bytes 0 return
                iifname != "br-mailcow" meta l4proto tcp tcp dport 587 counter packets 0 bytes 0 dnat to 172.22.1.253:587
                iifname != "br-mailcow" meta l4proto tcp tcp dport 465 counter packets 0 bytes 0 dnat to 172.22.1.253:465
                iifname != "br-mailcow" meta l4proto tcp tcp dport 25 counter packets 5 bytes 268 dnat to 172.22.1.253:25
                iifname != "br-mailcow" meta l4proto tcp ip daddr 127.0.0.1 tcp dport 19991 counter packets 0 bytes 0 dnat to 172.22.1.250:12345
                iifname != "br-mailcow" meta l4proto tcp tcp dport 4190 counter packets 0 bytes 0 dnat to 172.22.1.250:4190
                iifname != "br-mailcow" meta l4proto tcp tcp dport 443 counter packets 10 bytes 592 dnat to 172.22.1.8:443
                iifname != "br-mailcow" meta l4proto tcp ip daddr 127.0.0.1 tcp dport 7654 counter packets 0 bytes 0 dnat to 172.22.1.249:6379
                iifname != "br-mailcow" meta l4proto tcp tcp dport 995 counter packets 0 bytes 0 dnat to 172.22.1.250:995
                iifname != "br-mailcow" meta l4proto tcp ip daddr 127.0.0.1 tcp dport 18983 counter packets 0 bytes 0 dnat to 172.22.1.11:8983
                iifname != "br-mailcow" meta l4proto tcp ip daddr 127.0.0.1 tcp dport 13306 counter packets 0 bytes 0 dnat to 172.22.1.12:3306
                iifname != "br-mailcow" meta l4proto tcp tcp dport 80 counter packets 6 bytes 300 dnat to 172.22.1.8:80
                iifname != "br-mailcow" meta l4proto tcp tcp dport 993 counter packets 2 bytes 128 dnat to 172.22.1.250:993
                iifname != "br-mailcow" meta l4proto tcp tcp dport 143 counter packets 0 bytes 0 dnat to 172.22.1.250:143
                iifname != "br-mailcow" meta l4proto tcp tcp dport 110 counter packets 0 bytes 0 dnat to 172.22.1.250:110
        }
}

Logs of ip6tables -L -vn -t nat:

# $: nft list ruleset

table ip6 nat {
        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
                fib daddr type local counter packets 122 bytes 9558 jump DOCKER
        }

        chain INPUT {
                type nat hook input priority 100; policy accept;
        }

        chain OUTPUT {
                type nat hook output priority -100; policy accept;
                ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump DOCKER
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                ip6 saddr fd4d:6169:6c63:6f77::/64 ip6 daddr != fd4d:6169:6c63:6f77::/64 counter packets 555 bytes 53147 snat to 2a03:1111:2222:3333:4444:5555:1234:4321 comment "mailcow"
                oifname != "docker0" ip6 saddr fd00:dead:beef:c0::/80 counter packets 0 bytes 0 masquerade
                ip6 saddr fd4d:6169:6c63:6f77::/64 ip6 daddr != fd4d:6169:6c63:6f77::/64 counter packets 65 bytes 5964 snat to 2a03:1111:2222:3333:4444:5555:1234:4321
                oifname != "br-mailcow" ip6 saddr fd4d:6169:6c63:6f77::/64 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::2 ip6 daddr fd4d:6169:6c63:6f77::2 tcp dport 443 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::2 ip6 daddr fd4d:6169:6c63:6f77::2 tcp dport 80 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::5 ip6 daddr fd4d:6169:6c63:6f77::5 tcp dport 587 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::5 ip6 daddr fd4d:6169:6c63:6f77::5 tcp dport 465 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::5 ip6 daddr fd4d:6169:6c63:6f77::5 tcp dport 25 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::a ip6 daddr fd4d:6169:6c63:6f77::a tcp dport 4190 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::a ip6 daddr fd4d:6169:6c63:6f77::a tcp dport 995 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::a ip6 daddr fd4d:6169:6c63:6f77::a tcp dport 993 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::a ip6 daddr fd4d:6169:6c63:6f77::a tcp dport 143 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::a ip6 daddr fd4d:6169:6c63:6f77::a tcp dport 110 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::4 ip6 daddr fd4d:6169:6c63:6f77::4 tcp dport 587 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::4 ip6 daddr fd4d:6169:6c63:6f77::4 tcp dport 465 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::4 ip6 daddr fd4d:6169:6c63:6f77::4 tcp dport 25 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::b ip6 daddr fd4d:6169:6c63:6f77::b tcp dport 4190 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::c ip6 daddr fd4d:6169:6c63:6f77::c tcp dport 443 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::b ip6 daddr fd4d:6169:6c63:6f77::b tcp dport 995 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::c ip6 daddr fd4d:6169:6c63:6f77::c tcp dport 80 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::b ip6 daddr fd4d:6169:6c63:6f77::b tcp dport 993 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::b ip6 daddr fd4d:6169:6c63:6f77::b tcp dport 143 counter packets 0 bytes 0 masquerade
                meta l4proto tcp ip6 saddr fd4d:6169:6c63:6f77::b ip6 daddr fd4d:6169:6c63:6f77::b tcp dport 110 counter packets 0 bytes 0 masquerade
        }

        chain DOCKER {
                iifname "docker0" counter packets 0 bytes 0 return
                iifname "br-mailcow" counter packets 67 bytes 5360 return
                iifname != "br-mailcow" meta l4proto tcp tcp dport 587 counter packets 0 bytes 0 dnat to [fd4d:6169:6c63:6f77::4]:587
                iifname != "br-mailcow" meta l4proto tcp tcp dport 465 counter packets 0 bytes 0 dnat to [fd4d:6169:6c63:6f77::4]:465
                iifname != "br-mailcow" meta l4proto tcp tcp dport 25 counter packets 1 bytes 80 dnat to [fd4d:6169:6c63:6f77::4]:25
                iifname != "br-mailcow" meta l4proto tcp tcp dport 4190 counter packets 0 bytes 0 dnat to [fd4d:6169:6c63:6f77::b]:4190
                iifname != "br-mailcow" meta l4proto tcp tcp dport 443 counter packets 7 bytes 528 dnat to [fd4d:6169:6c63:6f77::c]:443
                iifname != "br-mailcow" meta l4proto tcp tcp dport 995 counter packets 0 bytes 0 dnat to [fd4d:6169:6c63:6f77::b]:995
                iifname != "br-mailcow" meta l4proto tcp tcp dport 80 counter packets 0 bytes 0 dnat to [fd4d:6169:6c63:6f77::c]:80
                iifname != "br-mailcow" meta l4proto tcp tcp dport 993 counter packets 27 bytes 2184 dnat to [fd4d:6169:6c63:6f77::b]:993
                iifname != "br-mailcow" meta l4proto tcp tcp dport 143 counter packets 0 bytes 0 dnat to [fd4d:6169:6c63:6f77::b]:143
                iifname != "br-mailcow" meta l4proto tcp tcp dport 110 counter packets 0 bytes 0 dnat to [fd4d:6169:6c63:6f77::b]:110
        }
}

DNS check:

104.18.32.7
172.64.155.249

[milkmaker]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.