[X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
[X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
[X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
[X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.
Description
Problem is that we have a blacklist in front of all other INPUT chains, because of that the container get restarted all the time...
Logs:
netfilter-mailcow-1 | MAILCOW target is in position 2 in the ip input table, restarting container to fix it...
netfilter-mailcow-1 | # Warning: table ip filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | # Warning: table ip nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | # Warning: table ip6 filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | # Warning: table ip6 nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | Using NFTables backend
netfilter-mailcow-1 | Clearing all bans
netfilter-mailcow-1 | Initializing mailcow netfilter chain
netfilter-mailcow-1 | Setting MAILCOW isolation
netfilter-mailcow-1 | Watching Redis channel F2B_CHANNEL
netfilter-mailcow-1 | Blacklist was changed, it has 1 entries
netfilter-mailcow-1 | Whitelist was changed, it has 3 entries
netfilter-mailcow-1 | Added host/network 123.456.789.012/24 to blacklist
netfilter-mailcow-1 | MAILCOW target is in position 2 in the ip input table, restarting container to fix it...
netfilter-mailcow-1 | # Warning: table ip filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | # Warning: table ip nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | # Warning: table ip6 filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | # Warning: table ip6 nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | Using NFTables backend
netfilter-mailcow-1 | Clearing all bans
netfilter-mailcow-1 | Initializing mailcow netfilter chain
netfilter-mailcow-1 | Setting MAILCOW isolation
netfilter-mailcow-1 | Watching Redis channel F2B_CHANNEL
netfilter-mailcow-1 | Blacklist was changed, it has 1 entries
netfilter-mailcow-1 | Whitelist was changed, it has 3 entriesAdded host/network 123.456.789.012/24 to blacklist
netfilter-mailcow-1 |
netfilter-mailcow-1 | MAILCOW target is in position 2 in the ip input table, restarting container to fix it...
netfilter-mailcow-1 | # Warning: table ip filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | # Warning: table ip nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | # Warning: table ip6 filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | # Warning: table ip6 nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | Using NFTables backend
netfilter-mailcow-1 | Clearing all bans
netfilter-mailcow-1 | Initializing mailcow netfilter chain
netfilter-mailcow-1 | Setting MAILCOW isolation
netfilter-mailcow-1 | Watching Redis channel F2B_CHANNEL
netfilter-mailcow-1 | Blacklist was changed, it has 1 entries
netfilter-mailcow-1 | Whitelist was changed, it has 3 entries
netfilter-mailcow-1 | Added host/network 123.456.789.012/24 to blacklist
netfilter-mailcow-1 | MAILCOW target is in position 2 in the ip input table, restarting container to fix it...
netfilter-mailcow-1 | # Warning: table ip filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | # Warning: table ip nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | # Warning: table ip6 filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | # Warning: table ip6 nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1 | Using NFTables backend
netfilter-mailcow-1 | Clearing all bans
netfilter-mailcow-1 | Initializing mailcow netfilter chain
netfilter-mailcow-1 | Setting MAILCOW isolation
netfilter-mailcow-1 | Watching Redis channel F2B_CHANNEL
netfilter-mailcow-1 | Blacklist was changed, it has 1 entries
netfilter-mailcow-1 | Added host/network 123.456.789.012/24 to blacklist
netfilter-mailcow-1 | Whitelist was changed, it has 3 entries
Steps to reproduce:
Use a Blacklist like crowdsec or ufw or whatever which sets drop on pos 1
Which branch are you using?
master
Which architecture are you using?
x86
Operating System:
Ubuntu 22.04 LTS
Server/VM specifications:
8GB / 2CPU
Is Apparmor, SELinux or similar active?
no
Virtualization technology:
KVM
Docker version:
25.0.5
docker-compose version or docker compose version:
v2.25.0
mailcow version:
2024-02
Reverse proxy:
Nginx
Logs of git diff:
git diff origin/master
diff --git a/data/Dockerfiles/netfilter/Dockerfile b/data/Dockerfiles/netfilter/Dockerfile
index 8a561f06..d9f3cf7e 100644
--- a/data/Dockerfiles/netfilter/Dockerfile
+++ b/data/Dockerfiles/netfilter/Dockerfile
@@ -26,6 +26,7 @@ RUN apk add --virtual .build-deps \
&& pip3 install --ignore-installed --upgrade pip \
jsonschema \
python-iptables \
+ requests \
redis \
ipaddress \
dnspython \
diff --git a/data/Dockerfiles/netfilter/main.py b/data/Dockerfiles/netfilter/main.py
index c3ca379c..22264150 100644
--- a/data/Dockerfiles/netfilter/main.py
+++ b/data/Dockerfiles/netfilter/main.py
@@ -7,6 +7,7 @@ import time
import atexit
import signal
import ipaddress
+import requests^M
from collections import Counter
from random import randint
from threading import Thread
@@ -158,6 +159,101 @@ def ban(address):
tables.banIPv6(net)
r.hset('F2B_ACTIVE_BANS', '%s' % net, cur_time + NET_BAN_TIME)
+ ^M
+ ^M
+ NETBAN_IPV4 = '/' + str(29)^M
+ NETBAN_IPV6 = '/' + str(112)^M
+ net2 = ipaddress.ip_network((address + (NETBAN_IPV4 if type(ip) is ipaddress.IPv4Address else NETBAN_IPV6)), strict=False)^M
+ for sIP in net2.hosts():^M
+ # String holding parameters to pass in json format^M
+ params = {^M
+ 'ip':sIP,^M
+ 'categories':'11,18,20,21,22',^M
+ 'comment':'Attack on multipe Ports and Login'^M
+ }^M
+ response = requests.request(method='POST', url=abusedbip_url, headers=abusedbip_headers, params=params)^M
+ ^M
+ # Formatted output^M
+ decodedResponse = json.loads(response.text)^M
+ print(json.dumps(decodedResponse, sort_keys=True, indent=4))^M
+ else:^M
+ logWarn('%d more attempts in the next %d seconds until %s is banned' % (MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net))^M
+^M
+def ban2(address):^M
+ global lock^M
+ refreshF2boptions()^M
+ BAN_TIME = int(14400)^M
+ BAN_TIME_INCREMENT = bool(True)^M
+ MAX_ATTEMPTS = int(15)^M
+ RETRY_WINDOW = int(14400)^M
+ NETBAN_IPV4 = '/' + str(24)^M
+ NETBAN_IPV6 = '/' + str(64)^M
+^M
+ ip = ipaddress.ip_address(address)^M
+ if type(ip) is ipaddress.IPv6Address and ip.ipv4_mapped:^M
+ ip = ip.ipv4_mapped^M
+ address = str(ip)^M
+ if ip.is_private or ip.is_loopback:^M
+ return^M
+^M
+ self_network = ipaddress.ip_network(address)^M
+^M
+ with lock:^M
+ temp_whitelist = set(WHITELIST)^M
+^M
+ if temp_whitelist:^M
+ for wl_key in temp_whitelist:^M
+ wl_net = ipaddress.ip_network(wl_key, False)^M
+ if wl_net.overlaps(self_network):^M
+ logInfo('Address %s is whitelisted by rule %s' % (self_network, wl_net))^M
+ return^M
+^M
+ net = ipaddress.ip_network((address + (NETBAN_IPV4 if type(ip) is ipaddress.IPv4Address else NETBAN_IPV6)), strict=False)^M
+ net = str(net)^M
+^M
+ if not net in bans:^M
+ bans[net] = {'attempts': 0, 'last_attempt': 0, 'ban_counter': 0}^M
+^M
+ bans[net]['attempts'] += 1^M
+ bans[net]['last_attempt'] = time.time()^M
+^M
+ if bans[net]['attempts'] >= MAX_ATTEMPTS:^M
+ cur_time = int(round(time.time()))^M
+ NET_BAN_TIME = BAN_TIME if not BAN_TIME_INCREMENT else BAN_TIME * 2 ** bans[net]['ban_counter']^M
+ logCrit('Banning %s for %d minutes' % (net, NET_BAN_TIME / 60 ))^M
+ if type(ip) is ipaddress.IPv4Address:^M
+ with lock:^M
+ chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'MAILCOW')^M
+ rule = iptc.Rule()^M
+ rule.src = net^M
+ target = iptc.Target(rule, "REJECT")^M
+ rule.target = target^M
+ if rule not in chain.rules:^M
+ chain.insert_rule(rule)^M
+ else:^M
+ with lock:^M
+ chain = iptc.Chain(iptc.Table6(iptc.Table6.FILTER), 'MAILCOW')^M
+ rule = iptc.Rule6()^M
+ rule.src = net^M
+ target = iptc.Target(rule, "REJECT")^M
+ rule.target = target^M
+ if rule not in chain.rules:^M
+ chain.insert_rule(rule)^M
+ r.hset('F2B_ACTIVE_BANS', '%s' % net, cur_time + NET_BAN_TIME)^M
+ ^M
+ net2 = ipaddress.ip_network((address + (NETBAN_IPV4 if type(ip) is ipaddress.IPv4Address else NETBAN_IPV6)), strict=False)^M
+ for sIP in net2.hosts():^M
+ # String holding parameters to pass in json format^M
+ params = {^M
+ 'ip':sIP,^M
+ 'categories':'11,18,20,21,22',^M
+ 'comment':'Attack on multipe Ports and Login'^M
+ }^M
+ response = requests.request(method='POST', url=abusedbip_url, headers=abusedbip_headers, params=params)^M
+ ^M
+ # Formatted output^M
+ decodedResponse = json.loads(response.text)^M
+ print(json.dumps(decodedResponse, sort_keys=True, indent=4))^M
else:
logger.logWarn('%d more attempts in the next %d seconds until %s is banned' % (MAX_ATTEMPTS - bans[net]['attempts'], RETRY_WINDOW, net))
@@ -250,6 +346,7 @@ def watch():
continue
logger.logWarn('%s matched rule id %s (%s)' % (addr, rule_id, item['data']))
ban(addr)
+ ban2(addr)^M
except Exception as ex:
logger.logWarn('Error reading log line from pubsub: %s' % ex)
pubsub = None
Logs of iptables -L -vn:
Chain INPUT (policy ACCEPT 9776 packets, 9442K bytes)
pkts bytes target prot opt in out source destination
166 9556 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set crowdsec-blacklists src
9803 9443K MAILCOW all -- * * 0.0.0.0/0 0.0.0.0/0 /* mailcow */
36 1725 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ipsum src
9776 9442K MAILCOW all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
33092 7214K MAILCOW all -- * * 0.0.0.0/0 0.0.0.0/0 /* mailcow */
33092 7214K DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
33092 7214K DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
33092 7214K MAILCOW all -- * * 0.0.0.0/0 0.0.0.0/0
27892 6752K ACCEPT all -- * br-mailcow 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2580 168K DOCKER all -- * br-mailcow 0.0.0.0/0 0.0.0.0/0
2620 294K ACCEPT all -- br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0
2561 167K ACCEPT all -- br-mailcow br-mailcow 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 12000 packets, 9491K bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:587
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:465
5 268 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.253 tcp dpt:25
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:12345
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:4190
6 360 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.8 tcp dpt:443
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.249 tcp dpt:6379
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:995
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.11 tcp dpt:8983
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.12 tcp dpt:3306
6 300 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.8 tcp dpt:80
2 128 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:993
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:143
0 0 ACCEPT tcp -- !br-mailcow br-mailcow 0.0.0.0/0 172.22.1.250 tcp dpt:110
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
2620 294K DOCKER-ISOLATION-STAGE-2 all -- br-mailcow !br-mailcow 0.0.0.0/0 0.0.0.0/0
33092 7214K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- * br-mailcow 0.0.0.0/0 0.0.0.0/0
2620 294K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
33092 7214K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain MAILCOW (4 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP tcp -- !br-mailcow br-mailcow 0.0.0.0/0 0.0.0.0/0 /* mailcow isolation */
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.40.0/24 0.0.0.0/0
Logs of ip6tables -L -vn:
Chain INPUT (policy ACCEPT 1428 packets, 199K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all * * ::/0 ::/0 match-set crowdsec6-blacklists src
1414 198K MAILCOW all * * ::/0 ::/0 /* mailcow */
1428 199K MAILCOW all * * ::/0 ::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
12563 9751K MAILCOW all * * ::/0 ::/0 /* mailcow */
12620 9756K DOCKER-USER all * * ::/0 ::/0
12620 9756K DOCKER-ISOLATION-STAGE-1 all * * ::/0 ::/0
0 0 ACCEPT all * docker0 ::/0 ::/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all * docker0 ::/0 ::/0
0 0 ACCEPT all docker0 !docker0 ::/0 ::/0
0 0 ACCEPT all docker0 docker0 ::/0 ::/0
12620 9756K MAILCOW all * * ::/0 ::/0
6377 8959K ACCEPT all * br-mailcow ::/0 ::/0 ctstate RELATED,ESTABLISHED
3982 268K DOCKER all * br-mailcow ::/0 ::/0
2261 529K ACCEPT all br-mailcow !br-mailcow ::/0 ::/0
3950 265K ACCEPT all br-mailcow br-mailcow ::/0 ::/0
Chain OUTPUT (policy ACCEPT 1408 packets, 172K bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::4 tcp dpt:587
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::4 tcp dpt:465
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::4 tcp dpt:25
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::b tcp dpt:4190
5 384 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::c tcp dpt:443
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::b tcp dpt:995
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::c tcp dpt:80
27 2184 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::b tcp dpt:993
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::b tcp dpt:143
0 0 ACCEPT tcp !br-mailcow br-mailcow ::/0 fd4d:6169:6c63:6f77::b tcp dpt:110
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all docker0 !docker0 ::/0 ::/0
2261 529K DOCKER-ISOLATION-STAGE-2 all br-mailcow !br-mailcow ::/0 ::/0
12620 9756K RETURN all * * ::/0 ::/0
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all * docker0 ::/0 ::/0
0 0 DROP all * br-mailcow ::/0 ::/0
2261 529K RETURN all * * ::/0 ::/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
12620 9756K RETURN all * * ::/0 ::/0
Chain MAILCOW (4 references)
pkts bytes target prot opt in out source destination
Logs of iptables -L -vn -t nat:
# $: nft list ruleset
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 427 bytes 23533 jump DOCKER
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 172.22.1.0/24 ip daddr != 172.22.1.0/24 counter packets 1834 bytes 139362 snat to 123.456.789.012 comment "mailcow"
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
ip saddr 172.22.1.0/24 ip daddr != 172.22.1.0/24 counter packets 68 bytes 4884 snat to 123.456.789.012
oifname != "br-mailcow" ip saddr 172.22.1.0/24 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.2 ip daddr 172.22.1.2 tcp dport 443 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.2 ip daddr 172.22.1.2 tcp dport 80 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.4 ip daddr 172.22.1.4 tcp dport 8983 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.253 ip daddr 172.22.1.253 tcp dport 587 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.253 ip daddr 172.22.1.253 tcp dport 465 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.253 ip daddr 172.22.1.253 tcp dport 25 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.250 ip daddr 172.22.1.250 tcp dport 12345 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.250 ip daddr 172.22.1.250 tcp dport 4190 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.250 ip daddr 172.22.1.250 tcp dport 995 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.11 ip daddr 172.22.1.11 tcp dport 3306 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.250 ip daddr 172.22.1.250 tcp dport 993 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.250 ip daddr 172.22.1.250 tcp dport 143 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.249 ip daddr 172.22.1.249 tcp dport 6379 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.250 ip daddr 172.22.1.250 tcp dport 110 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.8 ip daddr 172.22.1.8 tcp dport 443 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.11 ip daddr 172.22.1.11 tcp dport 8983 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.12 ip daddr 172.22.1.12 tcp dport 3306 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.8 ip daddr 172.22.1.8 tcp dport 80 counter packets 0 bytes 0 masquerade
}
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
iifname "br-mailcow" counter packets 0 bytes 0 return
iifname != "br-mailcow" meta l4proto tcp tcp dport 587 counter packets 0 bytes 0 dnat to 172.22.1.253:587
iifname != "br-mailcow" meta l4proto tcp tcp dport 465 counter packets 0 bytes 0 dnat to 172.22.1.253:465
iifname != "br-mailcow" meta l4proto tcp tcp dport 25 counter packets 5 bytes 268 dnat to 172.22.1.253:25
iifname != "br-mailcow" meta l4proto tcp ip daddr 127.0.0.1 tcp dport 19991 counter packets 0 bytes 0 dnat to 172.22.1.250:12345
iifname != "br-mailcow" meta l4proto tcp tcp dport 4190 counter packets 0 bytes 0 dnat to 172.22.1.250:4190
iifname != "br-mailcow" meta l4proto tcp tcp dport 443 counter packets 10 bytes 592 dnat to 172.22.1.8:443
iifname != "br-mailcow" meta l4proto tcp ip daddr 127.0.0.1 tcp dport 7654 counter packets 0 bytes 0 dnat to 172.22.1.249:6379
iifname != "br-mailcow" meta l4proto tcp tcp dport 995 counter packets 0 bytes 0 dnat to 172.22.1.250:995
iifname != "br-mailcow" meta l4proto tcp ip daddr 127.0.0.1 tcp dport 18983 counter packets 0 bytes 0 dnat to 172.22.1.11:8983
iifname != "br-mailcow" meta l4proto tcp ip daddr 127.0.0.1 tcp dport 13306 counter packets 0 bytes 0 dnat to 172.22.1.12:3306
iifname != "br-mailcow" meta l4proto tcp tcp dport 80 counter packets 6 bytes 300 dnat to 172.22.1.8:80
iifname != "br-mailcow" meta l4proto tcp tcp dport 993 counter packets 2 bytes 128 dnat to 172.22.1.250:993
iifname != "br-mailcow" meta l4proto tcp tcp dport 143 counter packets 0 bytes 0 dnat to 172.22.1.250:143
iifname != "br-mailcow" meta l4proto tcp tcp dport 110 counter packets 0 bytes 0 dnat to 172.22.1.250:110
}
}
Contribution guidelines
I've found a bug and checked that ...
Description
Logs:
Steps to reproduce:
Which branch are you using?
master
Which architecture are you using?
x86
Operating System:
Ubuntu 22.04 LTS
Server/VM specifications:
8GB / 2CPU
Is Apparmor, SELinux or similar active?
no
Virtualization technology:
KVM
Docker version:
25.0.5
docker-compose version or docker compose version:
v2.25.0
mailcow version:
2024-02
Reverse proxy:
Nginx
Logs of git diff:
Logs of iptables -L -vn:
Logs of ip6tables -L -vn:
Logs of iptables -L -vn -t nat:
Logs of ip6tables -L -vn -t nat:
DNS check: