Lxd virtual machine or kvm virtual machine

ckruijntjens · May 10, 2022, 8:38pm

Hi all,

I was wondering. I installed a lxd --vm with docker and mailcow inside it. However i have some problems with nftables. When an ip is blocked according nftables i can still connect with this “blocked client”

Now my question. What is the difference of a kvm virtual machine or lxd virtual machine.

Or are there no differences?

stgraber · May 10, 2022, 10:55pm

No difference, both are run by QEMU. The issue you’re hitting is likely more to do about how the firewalling is setup inside of the VM.

Note that if combining nftables with iptables (which Docker uses), the application order isn’t guaranteed and an accept rule in iptables may end up overruling a deny rule in nftables.

In general you want to make sure that your system is either all on nftables or all on iptables, a combination of the two can lead to problems.

ckruijntjens · May 11, 2022, 4:49am

Hi @stgraber

first of al thanks for you reply. I am running debian bullseye with docker and inside docker i am running mailcow.

how can i run only iptables on debian 11? and disable nftables? Do you know this?

kind regards,

Chris

tomp · May 11, 2022, 7:24am

sudo nft flush ruleset
apt remove nftables

Then restart to ensure all subsystems only use iptables.

ckruijntjens · May 11, 2022, 1:16pm

thanks,

did that and rebooted. however still not working. the guys from mailcow telling me that only full kvm vm is working.

i am going to try that to see if that works

ckruijntjens · May 11, 2022, 2:34pm

You where wright.

A full kvm VM is still not resolving my issues.

However I don’t know where to search anymore.

tomp · May 11, 2022, 2:44pm

Can you provide some more solid examples, along with output of iptables-save and nft list ruleset for each example? At the moment the problem description is rather vague.

ckruijntjens · May 11, 2022, 3:24pm

Hi @tomp

you are right. First let me tel you my setup. I installed a host with lxd on it. Then i created a lxd virtual machine. Inside this virtual machine i install mailcow(with docker). Now everything is working fine. mail is running fine. the only thing that is not working is the netfilter part. netfilter container is telling me it is blocking the public ip, However i can still connect to all services with this ip.

nft list ruleset output is:

root@mail:~# nft list ruleset
table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}
table ip6 nat {
        chain DOCKER {
                iifname "docker0" counter packets 0 bytes 0 return
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                oifname != "docker0" ip6 saddr fd00:dead:beef:c0::/80 counter pa                                                                             ckets 0 bytes 0 masquerade
        }

        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
                fib daddr type local counter packets 0 bytes 0 jump DOCKER
        }

        chain OUTPUT {
                type nat hook output priority -100; policy accept;
                ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0                                                                              jump DOCKER
        }
}
table ip6 filter {
        chain DOCKER {
        }

        chain DOCKER-ISOLATION-STAGE-1 {
                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0                                                                              jump DOCKER-ISOLATION-STAGE-2
                iifname "br-mailcow" oifname != "br-mailcow" counter packets 0 b                                                                             ytes 0 jump DOCKER-ISOLATION-STAGE-2
                counter packets 0 bytes 0 return
        }

        chain DOCKER-ISOLATION-STAGE-2 {
                oifname "docker0" counter packets 0 bytes 0 drop
                oifname "br-mailcow" counter packets 0 bytes 0 drop
                counter packets 0 bytes 0 return
        }

        chain FORWARD {
                type filter hook forward priority filter; policy drop;
                counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
                oifname "docker0" ct state related,established counter packets 0                                                                              bytes 0 accept
                oifname "docker0" counter packets 0 bytes 0 jump DOCKER
                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0                                                                              accept
                iifname "docker0" oifname "docker0" counter packets 0 bytes 0 ac                                                                             cept
        }
}

iptables-save output is:

root@mail:~# iptables-save
# Generated by iptables-save v1.8.7 on Wed May 11 17:23:40 2022
*security
:INPUT ACCEPT [7816:3309226]
:FORWARD ACCEPT [167460:82524709]
:OUTPUT ACCEPT [10328:706754]
COMMIT
# Completed on Wed May 11 17:23:40 2022
# Generated by iptables-save v1.8.7 on Wed May 11 17:23:40 2022
*raw
:PREROUTING ACCEPT [175246:85832135]
:OUTPUT ACCEPT [10328:706754]
COMMIT
# Completed on Wed May 11 17:23:40 2022
# Generated by iptables-save v1.8.7 on Wed May 11 17:23:40 2022
*mangle
:PREROUTING ACCEPT [175246:85832135]
:INPUT ACCEPT [7816:3309226]
:FORWARD ACCEPT [167460:82524709]
:OUTPUT ACCEPT [10328:706754]
:POSTROUTING ACCEPT [177788:83231463]
COMMIT
# Completed on Wed May 11 17:23:40 2022
# Generated by iptables-save v1.8.7 on Wed May 11 17:23:40 2022
*filter
:INPUT ACCEPT [7816:3309226]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [10328:706754]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:MAILCOW - [0:0]
-A INPUT -j MAILCOW
-A FORWARD -j MAILCOW
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-mailcow -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-mailcow -j DOCKER
-A FORWARD -i br-mailcow ! -o br-mailcow -j ACCEPT
-A FORWARD -i br-mailcow -o br-mailcow -j ACCEPT
-A DOCKER -d 172.22.1.3/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.22.1.3/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.22.1.5/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 12345 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 4190 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 995 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 993 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 143 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 110 -j ACCEPT
-A DOCKER -d 172.22.1.249/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 6379 -j ACCEPT
-A DOCKER -d 172.22.1.11/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 8983 -j ACCEPT
-A DOCKER -d 172.22.1.253/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 587 -j ACCEPT
-A DOCKER -d 172.22.1.253/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 465 -j ACCEPT
-A DOCKER -d 172.22.1.253/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 25 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-mailcow ! -o br-mailcow -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-mailcow -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Wed May 11 17:23:40 2022
# Generated by iptables-save v1.8.7 on Wed May 11 17:23:40 2022
*nat
:PREROUTING ACCEPT [9514:627485]
:INPUT ACCEPT [1132:80664]
:OUTPUT ACCEPT [34:2438]
:POSTROUTING ACCEPT [6890:429936]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.22.1.0/24 ! -o br-mailcow -j MASQUERADE
-A POSTROUTING -s 172.22.1.3/32 -d 172.22.1.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.1.3/32 -d 172.22.1.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.22.1.5/32 -d 172.22.1.5/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 12345 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 4190 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 995 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 993 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 143 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 110 -j MASQUERADE
-A POSTROUTING -s 172.22.1.249/32 -d 172.22.1.249/32 -p tcp -m tcp --dport 6379 -j MASQUERADE
-A POSTROUTING -s 172.22.1.11/32 -d 172.22.1.11/32 -p tcp -m tcp --dport 8983 -j MASQUERADE
-A POSTROUTING -s 172.22.1.253/32 -d 172.22.1.253/32 -p tcp -m tcp --dport 587 -j MASQUERADE
-A POSTROUTING -s 172.22.1.253/32 -d 172.22.1.253/32 -p tcp -m tcp --dport 465 -j MASQUERADE
-A POSTROUTING -s 172.22.1.253/32 -d 172.22.1.253/32 -p tcp -m tcp --dport 25 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-mailcow -j RETURN
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.22.1.3:443
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.22.1.3:80
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 13306 -j DNAT --to-destination 172.22.1.5:3306
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 19991 -j DNAT --to-destination 172.22.1.250:12345
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 4190 -j DNAT --to-destination 172.22.1.250:4190
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 995 -j DNAT --to-destination 172.22.1.250:995
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 993 -j DNAT --to-destination 172.22.1.250:993
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 143 -j DNAT --to-destination 172.22.1.250:143
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 110 -j DNAT --to-destination 172.22.1.250:110
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 7654 -j DNAT --to-destination 172.22.1.249:6379
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 18983 -j DNAT --to-destination 172.22.1.11:8983
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 587 -j DNAT --to-destination 172.22.1.253:587
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 465 -j DNAT --to-destination 172.22.1.253:465
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.22.1.253:25
COMMIT
# Completed on Wed May 11 17:23:40 2022
root@mail:~#


I hope my story is a bit clear.

ckruijntjens · May 11, 2022, 3:29pm

@tomp

and here is the output with a banned public ip adres.

nft list ruleset:

root@mail:~# nft list ruleset
table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}
table ip6 nat {
        chain DOCKER {
                iifname "docker0" counter packets 0 bytes 0 return
        }

        chain POSTROUTING {
                type nat hook postrouting priority srcnat; policy accept;
                oifname != "docker0" ip6 saddr fd00:dead:beef:c0::/80 counter packets 0 bytes 0 masquerade
        }

        chain PREROUTING {
                type nat hook prerouting priority dstnat; policy accept;
                fib daddr type local counter packets 0 bytes 0 jump DOCKER
        }

        chain OUTPUT {
                type nat hook output priority -100; policy accept;
                ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump DOCKER
        }
}
table ip6 filter {
        chain DOCKER {
        }

        chain DOCKER-ISOLATION-STAGE-1 {
                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
                iifname "br-mailcow" oifname != "br-mailcow" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
                counter packets 0 bytes 0 return
        }

        chain DOCKER-ISOLATION-STAGE-2 {
                oifname "docker0" counter packets 0 bytes 0 drop
                oifname "br-mailcow" counter packets 0 bytes 0 drop
                counter packets 0 bytes 0 return
        }

        chain FORWARD {
                type filter hook forward priority filter; policy drop;
                counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
                oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
                oifname "docker0" counter packets 0 bytes 0 jump DOCKER
                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
                iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
        }
}

iptables-save:

root@mail:~# iptables-save
# Generated by iptables-save v1.8.7 on Wed May 11 17:28:46 2022
*security
:INPUT ACCEPT [8877:3685859]
:FORWARD ACCEPT [185979:87466399]
:OUTPUT ACCEPT [11612:828114]
COMMIT
# Completed on Wed May 11 17:28:46 2022
# Generated by iptables-save v1.8.7 on Wed May 11 17:28:46 2022
*raw
:PREROUTING ACCEPT [194811:91149558]
:OUTPUT ACCEPT [11612:828114]
COMMIT
# Completed on Wed May 11 17:28:46 2022
# Generated by iptables-save v1.8.7 on Wed May 11 17:28:46 2022
*mangle
:PREROUTING ACCEPT [194811:91149558]
:INPUT ACCEPT [8877:3685859]
:FORWARD ACCEPT [185979:87466399]
:OUTPUT ACCEPT [11612:828114]
:POSTROUTING ACCEPT [197591:88294513]
COMMIT
# Completed on Wed May 11 17:28:46 2022
# Generated by iptables-save v1.8.7 on Wed May 11 17:28:46 2022
*filter
:INPUT ACCEPT [446:151182]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [521:48730]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:MAILCOW - [0:0]
-A INPUT -j MAILCOW
-A FORWARD -j MAILCOW
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-mailcow -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-mailcow -j DOCKER
-A FORWARD -i br-mailcow ! -o br-mailcow -j ACCEPT
-A FORWARD -i br-mailcow -o br-mailcow -j ACCEPT
-A DOCKER -d 172.22.1.3/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.22.1.3/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.22.1.5/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 12345 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 4190 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 995 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 993 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 143 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 110 -j ACCEPT
-A DOCKER -d 172.22.1.249/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 6379 -j ACCEPT
-A DOCKER -d 172.22.1.11/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 8983 -j ACCEPT
-A DOCKER -d 172.22.1.253/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 587 -j ACCEPT
-A DOCKER -d 172.22.1.253/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 465 -j ACCEPT
-A DOCKER -d 172.22.1.253/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 25 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-mailcow ! -o br-mailcow -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-mailcow -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A MAILCOW -s 109.37.147.34/32 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Wed May 11 17:28:46 2022
# Generated by iptables-save v1.8.7 on Wed May 11 17:28:46 2022
*nat
:PREROUTING ACCEPT [10646:704703]
:INPUT ACCEPT [1245:89022]
:OUTPUT ACCEPT [49:3497]
:POSTROUTING ACCEPT [7703:481210]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.22.1.0/24 ! -o br-mailcow -j MASQUERADE
-A POSTROUTING -s 172.22.1.3/32 -d 172.22.1.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.1.3/32 -d 172.22.1.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.22.1.5/32 -d 172.22.1.5/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 12345 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 4190 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 995 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 993 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 143 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 110 -j MASQUERADE
-A POSTROUTING -s 172.22.1.249/32 -d 172.22.1.249/32 -p tcp -m tcp --dport 6379 -j MASQUERADE
-A POSTROUTING -s 172.22.1.11/32 -d 172.22.1.11/32 -p tcp -m tcp --dport 8983 -j MASQUERADE
-A POSTROUTING -s 172.22.1.253/32 -d 172.22.1.253/32 -p tcp -m tcp --dport 587 -j MASQUERADE
-A POSTROUTING -s 172.22.1.253/32 -d 172.22.1.253/32 -p tcp -m tcp --dport 465 -j MASQUERADE
-A POSTROUTING -s 172.22.1.253/32 -d 172.22.1.253/32 -p tcp -m tcp --dport 25 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-mailcow -j RETURN
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.22.1.3:443
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.22.1.3:80
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 13306 -j DNAT --to-destination 172.22.1.5:3306
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 19991 -j DNAT --to-destination 172.22.1.250:12345
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 4190 -j DNAT --to-destination 172.22.1.250:4190
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 995 -j DNAT --to-destination 172.22.1.250:995
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 993 -j DNAT --to-destination 172.22.1.250:993
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 143 -j DNAT --to-destination 172.22.1.250:143
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 110 -j DNAT --to-destination 172.22.1.250:110
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 7654 -j DNAT --to-destination 172.22.1.249:6379
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 18983 -j DNAT --to-destination 172.22.1.11:8983
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 587 -j DNAT --to-destination 172.22.1.253:587
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 465 -j DNAT --to-destination 172.22.1.253:465
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.22.1.253:25
COMMIT
# Completed on Wed May 11 17:28:46 2022

tomp · May 16, 2022, 7:35am

Looks like you’re system is using a mixture of iptables and nftables. I suggest removing nftables and then restarting the system. Then provide the output of the unified firewall config using sudo iptables-save.

ckruijntjens · May 16, 2022, 4:03pm

Hi @tomp

This is the output. Still the “blocker ip” can still connect.

root@mail:/opt/mailcow-dockerized# sudo iptables-save
# Generated by iptables-save v1.8.7 on Mon May 16 18:02:42 2022
*security
:INPUT ACCEPT [1494:332813]
:FORWARD ACCEPT [10327:4256212]
:OUTPUT ACCEPT [1603:273339]
COMMIT
# Completed on Mon May 16 18:02:42 2022
# Generated by iptables-save v1.8.7 on Mon May 16 18:02:42 2022
*raw
:PREROUTING ACCEPT [11829:4589793]
:OUTPUT ACCEPT [1603:273339]
COMMIT
# Completed on Mon May 16 18:02:42 2022
# Generated by iptables-save v1.8.7 on Mon May 16 18:02:42 2022
*mangle
:PREROUTING ACCEPT [11829:4589793]
:INPUT ACCEPT [1494:332813]
:FORWARD ACCEPT [10327:4256212]
:OUTPUT ACCEPT [1603:273339]
:POSTROUTING ACCEPT [11930:4529551]
COMMIT
# Completed on Mon May 16 18:02:42 2022
# Generated by iptables-save v1.8.7 on Mon May 16 18:02:42 2022
*filter
:INPUT ACCEPT [869:130202]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [933:210990]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:MAILCOW - [0:0]
-A INPUT -j MAILCOW
-A FORWARD -j MAILCOW
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-mailcow -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-mailcow -j DOCKER
-A FORWARD -i br-mailcow ! -o br-mailcow -j ACCEPT
-A FORWARD -i br-mailcow -o br-mailcow -j ACCEPT
-A DOCKER -d 172.22.1.2/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.22.1.2/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.22.1.249/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 6379 -j ACCEPT
-A DOCKER -d 172.22.1.3/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 8983 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 12345 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 4190 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 995 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 993 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 143 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 110 -j ACCEPT
-A DOCKER -d 172.22.1.10/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.22.1.253/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 587 -j ACCEPT
-A DOCKER -d 172.22.1.253/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 465 -j ACCEPT
-A DOCKER -d 172.22.1.253/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 25 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-mailcow ! -o br-mailcow -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-mailcow -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A MAILCOW -s 109.37.158.244/32 -j REJECT --reject-with icmp-port-unreachable
COMMIT
# Completed on Mon May 16 18:02:42 2022
# Generated by iptables-save v1.8.7 on Mon May 16 18:02:42 2022
*nat
:PREROUTING ACCEPT [1383:97870]
:INPUT ACCEPT [86:7499]
:OUTPUT ACCEPT [37:2559]
:POSTROUTING ACCEPT [838:55394]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.22.1.0/24 ! -o br-mailcow -j MASQUERADE
-A POSTROUTING -s 172.22.1.2/32 -d 172.22.1.2/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.1.2/32 -d 172.22.1.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.22.1.249/32 -d 172.22.1.249/32 -p tcp -m tcp --dport 6379 -j MASQUERADE
-A POSTROUTING -s 172.22.1.3/32 -d 172.22.1.3/32 -p tcp -m tcp --dport 8983 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 12345 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 4190 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 995 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 993 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 143 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 110 -j MASQUERADE
-A POSTROUTING -s 172.22.1.10/32 -d 172.22.1.10/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.22.1.253/32 -d 172.22.1.253/32 -p tcp -m tcp --dport 587 -j MASQUERADE
-A POSTROUTING -s 172.22.1.253/32 -d 172.22.1.253/32 -p tcp -m tcp --dport 465 -j MASQUERADE
-A POSTROUTING -s 172.22.1.253/32 -d 172.22.1.253/32 -p tcp -m tcp --dport 25 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-mailcow -j RETURN
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.22.1.2:443
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.22.1.2:80
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 7654 -j DNAT --to-destination 172.22.1.249:6379
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 18983 -j DNAT --to-destination 172.22.1.3:8983
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 19991 -j DNAT --to-destination 172.22.1.250:12345
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 4190 -j DNAT --to-destination 172.22.1.250:4190
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 995 -j DNAT --to-destination 172.22.1.250:995
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 993 -j DNAT --to-destination 172.22.1.250:993
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 143 -j DNAT --to-destination 172.22.1.250:143
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 110 -j DNAT --to-destination 172.22.1.250:110
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 13306 -j DNAT --to-destination 172.22.1.10:3306
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 587 -j DNAT --to-destination 172.22.1.253:587
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 465 -j DNAT --to-destination 172.22.1.253:465
-A DOCKER -d 192.168.2.8/32 ! -i br-mailcow -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.22.1.253:25
COMMIT
# Completed on Mon May 16 18:02:42 2022

tomp · May 16, 2022, 6:11pm

Which ip is that?

ckruijntjens · May 16, 2022, 6:32pm

this ip

-A MAILCOW -s 109.37.158.244/32 -j REJECT --reject-with icmp-port-unreachable

that is my ip from my phone. to test. but i can still connect.

ckruijntjens · May 16, 2022, 6:49pm

even when i add a drop or denyrule to other chains its not blocking…

ckruijntjens · May 16, 2022, 6:52pm

i now added the ipadres to all chains and its stil not blocking. i dont know how this is possible.

tomp · May 16, 2022, 6:59pm

What interface is the incoming connection coming in on, and what is the target IP?

ckruijntjens · May 16, 2022, 7:04pm

the interface of the incoming connection is eth0 with ip adress 192.168.2.8

the target ip is the mailcow ip (inside docker)

tomp · May 17, 2022, 7:40am

Its a weird one.

I suggest using tcpdump -nn -i <interface> on the docker bridge to check the the source address coming in is the one you are expecting.

ckruijntjens · May 17, 2022, 4:18pm

yes it returns on the br-mailcow interface as expected