Hello!
I run a container (postfix/dovecot mailserver on debian) on a pi running raspberry pi os as host (probs not relevant, but anyway). I’ve just installed an ipset blacklist since discovering the multitude of nefarious connections and tedious brute-forcing attempts I’m now receiving. This has improved things considerably.
The connections to the host are passed through to the container using proxied ports. I assumed these would go via the bridge but that doesn’t appear to be the case (from listening to that iface with tcpdump).
I’d now like to record all attempts to connect to my mail server (imap or smtp) that get past the blacklist filtering.
If I just listen to my external nic, I see all packets before they get clobbered by the blacklist. If I listen inside the container, all connections appear to come from localhost. If I listen to the bridge I don’t see the traffic I’m interested in.
I’d like to do this with tcpdump if possible. Is there a way?
Many thanks,
G.