Hello!
I run a container (postfix/dovecot mailserver on debian) on a pi running raspberry pi os as host (probs not relevant, but anyway). I’ve just installed an ipset blacklist since discovering the multitude of nefarious connections and tedious brute-forcing attempts I’m now receiving. This has improved things considerably.
The connections to the host are passed through to the container using proxied ports. I assumed these would go via the bridge but that doesn’t appear to be the case (from listening to that iface with tcpdump).
I’d now like to record all attempts to connect to my mail server (imap or smtp) that get past the blacklist filtering.
If I just listen to my external nic, I see all packets before they get clobbered by the blacklist. If I listen inside the container, all connections appear to come from localhost. If I listen to the bridge I don’t see the traffic I’m interested in.
I’d like to do this with tcpdump if possible. Is there a way?
Many thanks,
G.
I think I was probably trying to do this in a non-standard way.
What I ended up doing:
- Logging successful connects with an iptables rule.
- Making sure the timezones in containers and host are the same.
- Combining the host log (for successful connects) with the relevant container logs to get the external ip.
So a small amount of scripting.
Try using the “NAT mode” of proxying. This preserves the source IP address of connections.
Alternatively, you can use the proxy-protocol (which embeds the source IP address at the start of each TCP connection), but then your mail server has to be configured to handle connections using the proxy-protocol too.
As @candlerb said, in this case you would enable the PROXY protocol here.
Incus supports the PROXY protocol in the proxy devices. What this means, is that the Incus proxy process forkproxy that runs on the host, accepts connections and proxies them to your containers, it will add at the start of each TCP connection the real IP address. Then, the service (like Dovecot and Postfix), that supports the PROXY protocol and have been configured by you for that, will parse accordingly the TCP connection, extract the source IP address from the start of the TCP connection and rewrite properly the source IP address.
For this to work, you need to add the option proxy_protocol=true to the Incus proxy device. Then, you need to configure the service in the container (like Postfix) to parse properly the PROXY protocol connection (you need to look into their documentation).
A suggestion would be to use a TLS Termination proxy (in an Incus container) so that the proxy device diverts all incoming connections there, then the TLS Termination proxy is dealing with unencrypted traffic and may send to some mail security service in a container, before delivering to your actual mail server.