Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MAILCOW target is in position 2 in the ip forward table #6241

Open
5 tasks done
ash-development opened this issue Jan 12, 2025 · 4 comments
Open
5 tasks done

MAILCOW target is in position 2 in the ip forward table #6241

ash-development opened this issue Jan 12, 2025 · 4 comments
Labels
bug

Comments

@ash-development
Copy link

Contribution guidelines

I've found a bug and checked that ...

  • ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
  • ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
  • ... I have understood that answers are voluntary and community-driven, and not commercial support.
  • ... I have verified that my issue has not been already answered in the past. I also checked previous issues.

Description

im trying to start my mailcow installation up and i'm getting this error: `netfilter-mailcow-1 | MAILCOW target is in position 2 in the ip forward table, restarting container to fix it...`

no matter what i try to do with iptables, it doesn't do anything. i restarted my server and this just started happening all of a sudden. this is what my iptables looks like:

root@ASHubuntu:/opt/mailcow-dockerized# sudo iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy DROP)
num  target     prot opt source               destination         
1    DOCKER-USER  all  --  anywhere             anywhere            
2    DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere            
3    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
4    DOCKER     all  --  anywhere             anywhere            
5    ACCEPT     all  --  anywhere             anywhere            
6    ACCEPT     all  --  anywhere             anywhere            
7    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
8    DOCKER     all  --  anywhere             anywhere            
9    ACCEPT     all  --  anywhere             anywhere            
10   ACCEPT     all  --  anywhere             anywhere            
11   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
12   DOCKER     all  --  anywhere             anywhere            
13   ACCEPT     all  --  anywhere             anywhere            
14   ACCEPT     all  --  anywhere             anywhere            
15   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
16   DOCKER     all  --  anywhere             anywhere            
17   ACCEPT     all  --  anywhere             anywhere            
18   ACCEPT     all  --  anywhere             anywhere            
19   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
20   DOCKER     all  --  anywhere             anywhere            
21   ACCEPT     all  --  anywhere             anywhere            
22   ACCEPT     all  --  anywhere             anywhere            
23   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
24   DOCKER     all  --  anywhere             anywhere            
25   ACCEPT     all  --  anywhere             anywhere            
26   ACCEPT     all  --  anywhere             anywhere            
27   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
28   DOCKER     all  --  anywhere             anywhere            
29   ACCEPT     all  --  anywhere             anywhere            
30   ACCEPT     all  --  anywhere             anywhere            
31   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
32   DOCKER     all  --  anywhere             anywhere            
33   ACCEPT     all  --  anywhere             anywhere            
34   ACCEPT     all  --  anywhere             anywhere            
35   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
36   DOCKER     all  --  anywhere             anywhere            
37   ACCEPT     all  --  anywhere             anywhere            
38   ACCEPT     all  --  anywhere             anywhere            
39   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
40   DOCKER     all  --  anywhere             anywhere            
41   ACCEPT     all  --  anywhere             anywhere            
42   ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
43   DOCKER     all  --  anywhere             anywhere            
44   ACCEPT     all  --  anywhere             anywhere            
45   ACCEPT     all  --  anywhere             anywhere            
46   DROP       all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain DOCKER (11 references)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  anywhere             172.28.0.2           tcp dpt:mysql
2    ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:8000
3    ACCEPT     tcp  --  anywhere             172.17.0.2           tcp dpt:9443
4    ACCEPT     tcp  --  anywhere             172.27.0.2           tcp dpt:5055
5    ACCEPT     tcp  --  anywhere             172.19.0.2           tcp dpt:7575
6    ACCEPT     tcp  --  anywhere             172.23.0.2           tcp dpt:3000
7    ACCEPT     tcp  --  anywhere             172.26.0.3           tcp dpt:3000
8    ACCEPT     tcp  --  anywhere             172.29.0.4           tcp dpt:http
9    ACCEPT     tcp  --  anywhere             172.23.0.5           tcp dpt:redis
10   ACCEPT     tcp  --  anywhere             172.29.0.2           tcp dpt:mysql

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num  target     prot opt source               destination         
1    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
2    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
3    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
4    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
5    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
6    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
7    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
8    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
9    DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
10   DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
11   DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere            
12   RETURN     all  --  anywhere             anywhere            

Chain DOCKER-ISOLATION-STAGE-2 (11 references)
num  target     prot opt source               destination         
1    DROP       all  --  anywhere             anywhere            
2    DROP       all  --  anywhere             anywhere            
3    DROP       all  --  anywhere             anywhere            
4    DROP       all  --  anywhere             anywhere            
5    DROP       all  --  anywhere             anywhere            
6    DROP       all  --  anywhere             anywhere            
7    DROP       all  --  anywhere             anywhere            
8    DROP       all  --  anywhere             anywhere            
9    DROP       all  --  anywhere             anywhere            
10   DROP       all  --  anywhere             anywhere            
11   DROP       all  --  anywhere             anywhere            
12   RETURN     all  --  anywhere             anywhere            

Chain DOCKER-USER (1 references)
num  target     prot opt source               destination         
1    RETURN     all  --  anywhere             anywhere            

Chain ts-forward (0 references)
num  target     prot opt source               destination         

Chain ts-input (0 references)
num  target     prot opt source               destination  



### Logs:

```plain text
https://pastes.dev/VRhMDhaICW

Steps to reproduce:

1. start mailcow up
2. wait for it to show error

Which branch are you using?

master

Which architecture are you using?

x86

Operating System:

Ubuntu 22.04.5 LTS

Server/VM specifications:

8 vCPU / 16GB ram

Is Apparmor, SELinux or similar active?

no

Virtualization technology:

none

Docker version:

27.4.0

docker-compose version or docker compose version:

v2.31.0

mailcow version:

2024-11b

Reverse proxy:

apache2

Logs of git diff:

none

Logs of iptables -L -vn:

root@ASHubuntu:/opt/mailcow-dockerized# iptables -L -vn
Chain INPUT (policy ACCEPT 113K packets, 24M bytes)
 pkts bytes target     prot opt in     out     source               destination         
  715  120K MAILCOW    all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */

Chain FORWARD (policy DROP 243 packets, 30576 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   62  8441 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  923  113K MAILCOW    all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
27499   11M DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
16858 8956K ACCEPT     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED 1879  131K DOCKER     all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
 2610  216K ACCEPT     all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
 1877  130K ACCEPT     all  --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0           
   16  6223 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    1    44 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
   18  5272 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      br-8d63cc3e44b9  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-8d63cc3e44b9  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-8d63cc3e44b9 !br-8d63cc3e44b9  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-8d63cc3e44b9 br-8d63cc3e44b9  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      br-1bdafecfff4c  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-1bdafecfff4c  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-1bdafecfff4c !br-1bdafecfff4c  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-1bdafecfff4c br-1bdafecfff4c  0.0.0.0/0            0.0.0.0/0           
  144  126K ACCEPT     all  --  *      br-8fd69de1668f  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    3   180 DOCKER     all  --  *      br-8fd69de1668f  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-8fd69de1668f !br-8fd69de1668f  0.0.0.0/0            0.0.0.0/0           
    3   180 ACCEPT     all  --  br-8fd69de1668f br-8fd69de1668f  0.0.0.0/0            0.0.0.0/0           
  731  583K ACCEPT     all  --  *      br-24b1bebd5e23  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-24b1bebd5e23  0.0.0.0/0            0.0.0.0/0           
  622  109K ACCEPT     all  --  br-24b1bebd5e23 !br-24b1bebd5e23  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-24b1bebd5e23 br-24b1bebd5e23  0.0.0.0/0            0.0.0.0/0           
   34  1360 ACCEPT     all  --  *      br-1b95ca8517c0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   34  2040 DOCKER     all  --  *      br-1b95ca8517c0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-1b95ca8517c0 !br-1b95ca8517c0  0.0.0.0/0            0.0.0.0/0           
   34  2040 ACCEPT     all  --  br-1b95ca8517c0 br-1b95ca8517c0  0.0.0.0/0            0.0.0.0/0           
 6299 1194K ACCEPT     all  --  *      br-d83b946729c9  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   11   660 DOCKER     all  --  *      br-d83b946729c9  0.0.0.0/0            0.0.0.0/0           
   21  1764 ACCEPT     all  --  br-d83b946729c9 !br-d83b946729c9  0.0.0.0/0            0.0.0.0/0           
   11   660 ACCEPT     all  --  br-d83b946729c9 br-d83b946729c9  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      br-ae31963844f6  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-ae31963844f6  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-ae31963844f6 !br-ae31963844f6  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-ae31963844f6 br-ae31963844f6  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker_gwbridge !docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      br-30a8242fa518  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      br-30a8242fa518  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-30a8242fa518 !br-30a8242fa518  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br-30a8242fa518 br-30a8242fa518  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  docker_gwbridge docker_gwbridge  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 190K packets, 44M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (11 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  !br-30a8242fa518 br-30a8242fa518  0.0.0.0/0            172.28.0.2           tcp dpt:3306    0     0 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:8000
    1    44 ACCEPT     tcp  --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:9443
    0     0 ACCEPT     tcp  --  !br-24b1bebd5e23 br-24b1bebd5e23  0.0.0.0/0            172.27.0.2           tcp dpt:5055    0     0 ACCEPT     tcp  --  !br-ae31963844f6 br-ae31963844f6  0.0.0.0/0            172.19.0.2           tcp dpt:7575    0     0 ACCEPT     tcp  --  !br-d83b946729c9 br-d83b946729c9  0.0.0.0/0            172.23.0.2           tcp dpt:3000    0     0 ACCEPT     tcp  --  !br-8fd69de1668f br-8fd69de1668f  0.0.0.0/0            172.26.0.3           tcp dpt:3000    0     0 ACCEPT     tcp  --  !br-1b95ca8517c0 br-1b95ca8517c0  0.0.0.0/0            172.29.0.4           tcp dpt:80
    0     0 ACCEPT     tcp  --  !br-d83b946729c9 br-d83b946729c9  0.0.0.0/0            172.23.0.5           tcp dpt:6379    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.5           tcp dpt:8983
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.6           tcp dpt:3306
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.8           tcp dpt:88
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.8           tcp dpt:444
    0     0 ACCEPT     tcp  --  !br-1b95ca8517c0 br-1b95ca8517c0  0.0.0.0/0            172.29.0.2           tcp dpt:3306    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
    0     0 ACCEPT     tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2610  216K DOCKER-ISOLATION-STAGE-2  all  --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
   18  5272 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-8d63cc3e44b9 !br-8d63cc3e44b9  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-1bdafecfff4c !br-1bdafecfff4c  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-8fd69de1668f !br-8fd69de1668f  0.0.0.0/0            0.0.0.0/0           
  622  109K DOCKER-ISOLATION-STAGE-2  all  --  br-24b1bebd5e23 !br-24b1bebd5e23  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-1b95ca8517c0 !br-1b95ca8517c0  0.0.0.0/0            0.0.0.0/0           
   21  1764 DOCKER-ISOLATION-STAGE-2  all  --  br-d83b946729c9 !br-d83b946729c9  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-ae31963844f6 !br-ae31963844f6  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker_gwbridge !docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  br-30a8242fa518 !br-30a8242fa518  0.0.0.0/0            0.0.0.0/0           
33516   13M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (11 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-8d63cc3e44b9  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-1bdafecfff4c  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-8fd69de1668f  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-24b1bebd5e23  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-1b95ca8517c0  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-d83b946729c9  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-ae31963844f6  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      docker_gwbridge  0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      br-30a8242fa518  0.0.0.0/0            0.0.0.0/0           
 3742  369K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
33663   13M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       tcp  --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0            /* mailcow isolation */

Chain ts-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ts-input (0 references)
 pkts bytes target     prot opt in     out     source               destination

Logs of ip6tables -L -vn:

root@ASHubuntu:/opt/mailcow-dockerized# ip6tables -L -vn
Chain INPUT (policy ACCEPT 242K packets, 2154M bytes)
 pkts bytes target     prot opt in     out     source               destination         
  209 69529 MAILCOW    all      *      *       ::/0                 ::/0                 /* mailcow */
 244K 2155M ts-input   all      *      *       ::/0                 ::/0                

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   48  3079 DOCKER-USER  all      *      *       ::/0                 ::/0                
   84  5143 MAILCOW    all      *      *       ::/0                 ::/0                 /* mailcow */
15736 6502K DOCKER-ISOLATION-STAGE-1  all      *      *       ::/0                 ::/0                
 5051 5704K ACCEPT     all      *      br-mailcow  ::/0                 ::/0                 ctstate RELATED,ESTABLISHED 9809  716K DOCKER     all      *      br-mailcow  ::/0                 ::/0                
  876 81707 ACCEPT     all      br-mailcow !br-mailcow  ::/0                 ::/0                
 9809  716K ACCEPT     all      br-mailcow br-mailcow  ::/0                 ::/0                
    0     0 ts-forward  all      *      *       ::/0                 ::/0                

Chain OUTPUT (policy ACCEPT 156K packets, 26M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:143
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:4190
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:993
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:995
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::b  tcp dpt:110
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:25
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:465
    0     0 ACCEPT     tcp      !br-mailcow br-mailcow  ::/0                 fd4d:6169:6c63:6f77::10  tcp dpt:587

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    1   101 DOCKER-ISOLATION-STAGE-2  all      br-mailcow !br-mailcow  ::/0                 ::/0                
  182 11947 RETURN     all      *      *       ::/0                 ::/0                

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all      *      br-mailcow  ::/0                 ::/0                
    1   101 RETURN     all      *      *       ::/0                 ::/0                

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
32844   11M RETURN     all      *      *       ::/0                 ::/0                

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ts-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MARK       all      tailscale0 *       ::/0                 ::/0                 MARK xset 0x40000/0xff0000
    0     0 ACCEPT     all      *      *       ::/0                 ::/0                 mark match 0x40000/0xff0000
    0     0 ACCEPT     all      *      tailscale0  ::/0                 ::/0                

Chain ts-input (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all      lo     *       fd7a:115c:a1e0::2e01:9c35  ::/0                
  543 89627 ACCEPT     all      tailscale0 *       ::/0                 ::/0                
 1720  158K ACCEPT     udp      *      *       ::/0                 ::/0                 udp dpt:41641

Logs of iptables -L -vn -t nat:

root@ASHubuntu:/opt/mailcow-dockerized# iptables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 24771 packets, 2298K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 7853  772K DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 18033 packets, 1819K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 19286 packets, 1453K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  470 28272 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 18965 packets, 1302K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1532  113K MASQUERADE  all  --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0           
    3   206 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    7   420 MASQUERADE  all  --  *      !br-d83b946729c9  172.23.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-8fd69de1668f  172.26.0.0/16        0.0.0.0/0           
  108  6480 MASQUERADE  all  --  *      !br-24b1bebd5e23  172.27.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-ae31963844f6  172.19.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-8d63cc3e44b9  192.168.16.0/20      0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !docker_gwbridge  172.24.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-30a8242fa518  172.28.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-1bdafecfff4c  172.25.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-1b95ca8517c0  172.29.0.0/16        0.0.0.0/0           
22776 1678K ts-postrouting  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-c9e5cb719475  172.21.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-82a6b78cb3e0  172.20.0.0/16        0.0.0.0/0           
   35  2717 MASQUERADE  all  --  *      !br-5134d757c582  172.19.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  all  --  *      !br-c88d36ae3b0c  172.18.0.0/16        0.0.0.0/0           
 3892  388K MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 MASQUERADE  tcp  --  *      *       172.28.0.2           172.28.0.2           tcp dpt:3306
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:8000
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:9443
    0     0 MASQUERADE  tcp  --  *      *       172.27.0.2           172.27.0.2           tcp dpt:5055
    0     0 MASQUERADE  tcp  --  *      *       172.19.0.2           172.19.0.2           tcp dpt:7575
    0     0 MASQUERADE  tcp  --  *      *       172.23.0.2           172.23.0.2           tcp dpt:3000
    0     0 MASQUERADE  tcp  --  *      *       172.26.0.3           172.26.0.3           tcp dpt:3000
    0     0 MASQUERADE  tcp  --  *      *       172.29.0.4           172.29.0.4           tcp dpt:80
    0     0 MASQUERADE  tcp  --  *      *       172.23.0.5           172.23.0.5           tcp dpt:6379
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.249         172.22.1.249         tcp dpt:6379
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.5           172.22.1.5           tcp dpt:8983
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.6           172.22.1.6           tcp dpt:3306
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:110
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:143
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:993
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:995
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:4190
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.250         172.22.1.250         tcp dpt:12345
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.8           172.22.1.8           tcp dpt:88
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.8           172.22.1.8           tcp dpt:444
    0     0 MASQUERADE  tcp  --  *      *       172.29.0.2           172.29.0.2           tcp dpt:3306
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:25
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:465
    0     0 MASQUERADE  tcp  --  *      *       172.22.1.253         172.22.1.253         tcp dpt:587

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   36  2160 RETURN     all  --  br-mailcow *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-8d63cc3e44b9 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-1bdafecfff4c *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-8fd69de1668f *       0.0.0.0/0            0.0.0.0/0           
   55  3300 RETURN     all  --  br-24b1bebd5e23 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-1b95ca8517c0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-d83b946729c9 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-ae31963844f6 *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  docker_gwbridge *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     all  --  br-30a8242fa518 *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       tcp  --  !br-30a8242fa518 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6033 to:172.28.0.2:3306
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8000 to:172.17.0.2:8000
    1    44 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9443 to:172.17.0.2:9443
    0     0 DNAT       tcp  --  !br-24b1bebd5e23 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5055 to:172.27.0.2:5055
    0     0 DNAT       tcp  --  !br-ae31963844f6 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7575 to:172.19.0.2:7575
    0     0 DNAT       tcp  --  !br-d83b946729c9 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3001 to:172.23.0.2:3000
    0     0 DNAT       tcp  --  !br-8fd69de1668f *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3030 to:172.26.0.3:3000
    0     0 DNAT       tcp  --  !br-1b95ca8517c0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:808 to:172.29.0.4:80
    0     0 DNAT       tcp  --  !br-d83b946729c9 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9736 to:172.23.0.5:6379
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:18983 to:172.22.1.5:8983
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.6:3306
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:88 to:172.22.1.8:88
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:444 to:172.22.1.8:444
    0     0 DNAT       tcp  --  !br-1b95ca8517c0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6633 to:172.29.0.2:3306
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
    0     0 DNAT       tcp  --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587

Chain ts-postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0            mark match 0x40000/0xff0000

Logs of ip6tables -L -vn -t nat:

root@ASHubuntu:/opt/mailcow-dockerized# ip6tables -L -vn -t nat
Chain PREROUTING (policy ACCEPT 4859 packets, 565K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  965  137K DOCKER     all      *      *       ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 2559 packets, 360K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 8733 packets, 823K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all      *      *       ::/0                !::1                  ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 5009 packets, 471K bytes)
 pkts bytes target     prot opt in     out     source               destination         
  842 78216 MASQUERADE  all      *      !br-mailcow  fd4d:6169:6c63:6f77::/64  ::/0                
    0     0 MASQUERADE  all      *      br-mailcow  ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL
 9286  864K ts-postrouting  all      *      *       ::/0                 ::/0                
 4382  405K MASQUERADE  all      *      eth0    ::/0                 ::/0                
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:110
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:143
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:993
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:995
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::b  fd4d:6169:6c63:6f77::b  tcp dpt:4190
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::10  fd4d:6169:6c63:6f77::10  tcp dpt:25
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::10  fd4d:6169:6c63:6f77::10  tcp dpt:465
    0     0 MASQUERADE  tcp      *      *       fd4d:6169:6c63:6f77::10  fd4d:6169:6c63:6f77::10  tcp dpt:587

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all      br-mailcow *       ::/0                 ::/0                
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:143 to:[fd4d:6169:6c63:6f77::b]:143
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:4190 to:[fd4d:6169:6c63:6f77::b]:4190
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:993 to:[fd4d:6169:6c63:6f77::b]:993
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:995 to:[fd4d:6169:6c63:6f77::b]:995
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:110 to:[fd4d:6169:6c63:6f77::b]:110
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:25 to:[fd4d:6169:6c63:6f77::10]:25
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:465 to:[fd4d:6169:6c63:6f77::10]:465
    0     0 DNAT       tcp      !br-mailcow *       ::/0                 ::/0                 tcp dpt:587 to:[fd4d:6169:6c63:6f77::10]:587

Chain ts-postrouting (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all      *      *       ::/0                 ::/0                 mark match 0x40000/0xff0000

DNS check:

root@ASHubuntu:/opt/mailcow-dockerized# docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254
172.64.155.249
104.18.32.7
@ash-development
Copy link
Author

ash-development commented Jan 12, 2025
edited
Loading

seems similar to #5798 #5801 and #5628 but no real solution is given
edit: #5626 and #5735 have 'solutions' but no real ones & neither work.

@ash-development
Copy link
Author

ash-development commented Jan 14, 2025
edited
Loading

im confused because everything i see online is saying that DOCKER-USER is ALWAYS put at # 1 in iptables, so why is mailcow asking to be # 1? it doesn't make sense to me 😵‍💫

@ash-development
Copy link
Author

ash-development commented Jan 14, 2025
edited
Loading

also tried it with a new installation, so its nothing config related :/ & DISABLE_NETFILTER_ISOLATION_RULE=Y does not work

@ash-development
Copy link
Author

by some miracle it seems the following works - but this is definetely caused by a cached iptables configuration. 100% needs to be looked into

docker compose down
service docker stop
sudo ip6tables -X
sudo ip6tables -F
sudo ip6tables -X
sudo iptables -F
sudo iptables -X
service docker start
sudo ip6tables -L --line-numbers # just to make sure that the tables are clear
sudo iptables -L --line-numbers # same as above
docker compose up -d

it may take a couple runs for it to work successfully

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ash-development