Hi All, I enabled fail2ban to ban ip if failed login is more then 3 times. When i try this i see that my public ip of my phone is blocked. [upl-image-preview url=https://community.mailcow.email/assets/files/2022-04-14/1649973007-406758-image.png] However i can still login in sogo. it does not block me? any advise on this. kind regards, Chris

these are the ip adresses in kvm and docker. [upl-image-preview url=https://community.mailcow.email/assets/files/2022-04-25/1650912292-842030-image.png] all client ip adresses are logged correctly. logs showing ips are banned but i still can connect with this ip adres to all services??

Fail2ban mailcow not working

Ckruijntjens

Hi All,

I enabled fail2ban to ban ip if failed login is more then 3 times. When i try this i see that my public ip of my phone is blocked.

However i can still login in sogo. it does not block me?

any advise on this.

kind regards,

Chris

Ckruijntjens

anyone?

KillVirus

Take a look weather your firewall outside your docker is working probably. Eg. sudo nft list ruleset. If you make changes or restarts it might have an individual startup sequence. So for example first restart nft, then fail2ban then docker for example. So try to restart your docker system.

Ckruijntjens

KillVirus

is this not arranged inside docker? fail2ban and the firewall??

do i need to install it on the host outside the docker?

Ckruijntjens

Ckruijntjens @KillVirus

In the log i see

Banning 109.36.156.125/32 for 30 minutes

however everything keeps working for this ip adres. if i run your command in cli

sudo nft list ruleset

i dont see the blocked ip adres….. how to troubleshoot this???

KillVirus

Ckruijntjens could it be the problem that i run mailcow behind an nginx reverse proxy server???

don’t think so, mailcow might only see the ip from the host system so all access should be banned. But that’s not the problem you have.

Ckruijntjens is this not arranged inside docker? fail2ban and the firewall??

It is inside the container. But I think docker in general needs the access to the firewall on the host system.

Ckruijntjens i dont see the blocked ip adres….. how to troubleshoot this???

that’s ok the baned ip for sogo is within the container. Here it doesn’t shown in the ruleset either but the IP is banned anyway for all services on the host.

Ckruijntjens ERROR: Failed to Setup IP tables:

For me it seems that your ruleset might be the problem. I can’t see any “chain INPUT” I guess it should be default. You might want to continue your search in that way:
https://stackoverflow.com/questions/53766558/iptables-no-chain-target-match-error-with-docker-network-create

Ckruijntjens

hmmm i receve this when rebooting….

Creating network “mailcowdockerized_mailcow-network” with driver “bridge”
ERROR: Failed to Setup IP tables: Unable to enable SKIP DNAT rule: (iptables failed: iptables –wait -t nat -I DOCKER -i br-mailcow -j RETURN: iptables: No chain/target/match by that name.
(exit status 1))

Ckruijntjens

hmmm error is gone after doing this

docker-compose down
systemctl stop docker
iptables -F
systemctl start docker
docker-compose up -d

however bans are not working……….

Ckruijntjens

could it be the problem that i run mailcow behind an nginx reverse proxy server???

allredeay checked that and all public ip adresses are recorded correctly.

where to go from here?

Ckruijntjens

these are the ip adresses in kvm and docker.

all client ip adresses are logged correctly. logs showing ips are banned but i still can connect with this ip adres to all services??

Ckruijntjens

@KillVirus

i tried everything but it seems that its yust not working in my setup…..

this is the output of nft list ruleset

`root@mail:/opt/mailcow-dockerized# sudo nft list ruleset
table ip nat {
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != “br-mailcow” ip saddr 172.22.1.0/24 counter packets 74 bytes 5222 masquerade
oifname != “docker0” ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
oifname != “br-01f569c9d095” ip saddr 172.18.0.0/16 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.249 ip daddr 172.22.1.249 tcp dport 6379 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.3 ip daddr 172.22.1.3 tcp dport 8983 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.9 ip daddr 172.22.1.9 tcp dport 3306 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.11 ip daddr 172.22.1.11 tcp dport 443 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.11 ip daddr 172.22.1.11 tcp dport 80 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.250 ip daddr 172.22.1.250 tcp dport 12345 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.250 ip daddr 172.22.1.250 tcp dport 4190 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.250 ip daddr 172.22.1.250 tcp dport 995 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.250 ip daddr 172.22.1.250 tcp dport 993 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.250 ip daddr 172.22.1.250 tcp dport 143 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.250 ip daddr 172.22.1.250 tcp dport 110 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.253 ip daddr 172.22.1.253 tcp dport 587 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.253 ip daddr 172.22.1.253 tcp dport 465 counter packets 0 bytes 0 masquerade
meta l4proto tcp ip saddr 172.22.1.253 ip daddr 172.22.1.253 tcp dport 25 counter packets 0 bytes 0 masquerade
}

    chain PREROUTING {
            type nat hook prerouting priority dstnat; policy accept;
            fib daddr type local counter packets 247 bytes 14868 jump DOCKER
    }

    chain OUTPUT {
            type nat hook output priority -100; policy accept;
            ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
    }

    chain DOCKER {
            iifname "br-mailcow" counter packets 0 bytes 0 return
            iifname "docker0" counter packets 0 bytes 0 return
            iifname "br-01f569c9d095" counter packets 0 bytes 0 return
            iifname != "br-mailcow" meta l4proto tcp ip daddr 127.0.0.1 tcp dport 7654 counter packets 0 bytes 0 dnat to 172.22.1.249:6379
            iifname != "br-mailcow" meta l4proto tcp ip daddr 127.0.0.1 tcp dport 18983 counter packets 0 bytes 0 dnat to 172.22.1.3:8983
            iifname != "br-mailcow" meta l4proto tcp ip daddr 127.0.0.1 tcp dport 13306 counter packets 0 bytes 0 dnat to 172.22.1.9:3306
            iifname != "br-mailcow" meta l4proto tcp ip daddr 192.168.2.8 tcp dport 443 counter packets 227 bytes 13620 dnat to 172.22.1.11:443
            iifname != "br-mailcow" meta l4proto tcp ip daddr 192.168.2.8 tcp dport 80 counter packets 0 bytes 0 dnat to 172.22.1.11:80
            iifname != "br-mailcow" meta l4proto tcp ip daddr 127.0.0.1 tcp dport 19991 counter packets 0 bytes 0 dnat to 172.22.1.250:12345
            iifname != "br-mailcow" meta l4proto tcp ip daddr 192.168.2.8 tcp dport 4190 counter packets 0 bytes 0 dnat to 172.22.1.250:4190
            iifname != "br-mailcow" meta l4proto tcp ip daddr 192.168.2.8 tcp dport 995 counter packets 0 bytes 0 dnat to 172.22.1.250:995
            iifname != "br-mailcow" meta l4proto tcp ip daddr 192.168.2.8 tcp dport 993 counter packets 0 bytes 0 dnat to 172.22.1.250:993
            iifname != "br-mailcow" meta l4proto tcp ip daddr 192.168.2.8 tcp dport 143 counter packets 0 bytes 0 dnat to 172.22.1.250:143
            iifname != "br-mailcow" meta l4proto tcp ip daddr 192.168.2.8 tcp dport 110 counter packets 0 bytes 0 dnat to 172.22.1.250:110
            iifname != "br-mailcow" meta l4proto tcp ip daddr 192.168.2.8 tcp dport 587 counter packets 0 bytes 0 dnat to 172.22.1.253:587
            iifname != "br-mailcow" meta l4proto tcp ip daddr 192.168.2.8 tcp dport 465 counter packets 0 bytes 0 dnat to 172.22.1.253:465
            iifname != "br-mailcow" meta l4proto tcp ip daddr 192.168.2.8 tcp dport 25 counter packets 0 bytes 0 dnat to 172.22.1.253:25
    }

}
table ip filter {
chain DOCKER {
iifname != “br-mailcow” oifname “br-mailcow” meta l4proto tcp ip daddr 172.22.1.249 tcp dport 6379 counter packets 0 bytes 0 accept
iifname != “br-mailcow” oifname “br-mailcow” meta l4proto tcp ip daddr 172.22.1.3 tcp dport 8983 counter packets 0 bytes 0 accept
iifname != “br-mailcow” oifname “br-mailcow” meta l4proto tcp ip daddr 172.22.1.9 tcp dport 3306 counter packets 0 bytes 0 accept
iifname != “br-mailcow” oifname “br-mailcow” meta l4proto tcp ip daddr 172.22.1.11 tcp dport 443 counter packets 227 bytes 13620 accept
iifname != “br-mailcow” oifname “br-mailcow” meta l4proto tcp ip daddr 172.22.1.11 tcp dport 80 counter packets 0 bytes 0 accept
iifname != “br-mailcow” oifname “br-mailcow” meta l4proto tcp ip daddr 172.22.1.250 tcp dport 12345 counter packets 0 bytes 0 accept
iifname != “br-mailcow” oifname “br-mailcow” meta l4proto tcp ip daddr 172.22.1.250 tcp dport 4190 counter packets 0 bytes 0 accept
iifname != “br-mailcow” oifname “br-mailcow” meta l4proto tcp ip daddr 172.22.1.250 tcp dport 995 counter packets 0 bytes 0 accept
iifname != “br-mailcow” oifname “br-mailcow” meta l4proto tcp ip daddr 172.22.1.250 tcp dport 993 counter packets 0 bytes 0 accept
iifname != “br-mailcow” oifname “br-mailcow” meta l4proto tcp ip daddr 172.22.1.250 tcp dport 143 counter packets 0 bytes 0 accept
iifname != “br-mailcow” oifname “br-mailcow” meta l4proto tcp ip daddr 172.22.1.250 tcp dport 110 counter packets 0 bytes 0 accept
iifname != “br-mailcow” oifname “br-mailcow” meta l4proto tcp ip daddr 172.22.1.253 tcp dport 587 counter packets 0 bytes 0 accept
iifname != “br-mailcow” oifname “br-mailcow” meta l4proto tcp ip daddr 172.22.1.253 tcp dport 465 counter packets 0 bytes 0 accept
iifname != “br-mailcow” oifname “br-mailcow” meta l4proto tcp ip daddr 172.22.1.253 tcp dport 25 counter packets 0 bytes 0 accept
}

    chain DOCKER-ISOLATION-STAGE-1 {
            iifname "br-mailcow" oifname != "br-mailcow" counter packets 4705 bytes 17341525 jump DOCKER-ISOLATION-STAGE-2
            iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
            iifname "br-01f569c9d095" oifname != "br-01f569c9d095" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
            counter packets 63132 bytes 302175167 return
    }

    chain FORWARD {
            type filter hook forward priority filter; policy drop;
            counter packets 63132 bytes 302175167 jump DOCKER-USER
            counter packets 63132 bytes 302175167 jump DOCKER-ISOLATION-STAGE-1
            oifname "br-mailcow" ct state related,established counter packets 56180 bytes 284691934 accept
            oifname "br-mailcow" counter packets 2247 bytes 141708 jump DOCKER
            iifname "br-mailcow" oifname != "br-mailcow" counter packets 4705 bytes 17341525 accept
            iifname "br-mailcow" oifname "br-mailcow" counter packets 2013 bytes 127716 accept
            oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
            oifname "docker0" counter packets 0 bytes 0 jump DOCKER
            iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
            iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
            oifname "br-01f569c9d095" ct state related,established counter packets 0 bytes 0 accept
            oifname "br-01f569c9d095" counter packets 0 bytes 0 jump DOCKER
            iifname "br-01f569c9d095" oifname != "br-01f569c9d095" counter packets 0 bytes 0 accept
            iifname "br-01f569c9d095" oifname "br-01f569c9d095" counter packets 0 bytes 0 accept
    }

    chain DOCKER-USER {
            counter packets 119263 bytes 571386023 return
    }

    chain DOCKER-ISOLATION-STAGE-2 {
            oifname "br-mailcow" counter packets 0 bytes 0 drop
            oifname "docker0" counter packets 0 bytes 0 drop
            oifname "br-01f569c9d095" counter packets 0 bytes 0 drop
            counter packets 4705 bytes 17341525 return
    }

}
table ip6 nat {
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != “docker0” ip6 saddr fd00:dead:beef:c0::/80 counter packets 0 bytes 0 masquerade
}

    chain PREROUTING {
            type nat hook prerouting priority dstnat; policy accept;
            fib daddr type local counter packets 0 bytes 0 jump DOCKER
    }

    chain OUTPUT {
            type nat hook output priority -100; policy accept;
            ip6 daddr != ::1 fib daddr type local counter packets 0 bytes 0 jump DOCKER
    }

    chain DOCKER {
            iifname "docker0" counter packets 0 bytes 0 return
    }

}
table ip6 filter {
chain DOCKER {
}

    chain DOCKER-ISOLATION-STAGE-1 {
            iifname "br-mailcow" oifname != "br-mailcow" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
            iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
            iifname "br-01f569c9d095" oifname != "br-01f569c9d095" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
            counter packets 0 bytes 0 return
    }

    chain FORWARD {
            type filter hook forward priority filter; policy drop;
            counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
            oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
            oifname "docker0" counter packets 0 bytes 0 jump DOCKER
            iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
            iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
    }

    chain DOCKER-ISOLATION-STAGE-2 {
            oifname "br-mailcow" counter packets 0 bytes 0 drop
            oifname "docker0" counter packets 0 bytes 0 drop
            oifname "br-01f569c9d095" counter packets 0 bytes 0 drop
            counter packets 0 bytes 0 return
    }

}
`

Ckruijntjens

KillVirus

well on the host where docker is running on i notised that nfstables was running. so i disabled this. but what services regarding to iptables should be running on the host?

Ckruijntjens

KillVirus

now i have a chain input….. but still not working…

root@mail:~# iptables -L

Warning: iptables-legacy tables present, use iptables-legacy to see them

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.22.1.2 tcp dpt:8983
ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
ACCEPT tcp – anywhere 172.22.1.4 tcp dpt:https
ACCEPT tcp – anywhere 172.22.1.4 tcp dpt:http
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:mysql
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:submission
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:submissions
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:smtp

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all – anywhere anywhere
DROP all – anywhere anywhere
DROP all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Ckruijntjens

Ckruijntjens however when i disable this still no chain input………

KillVirus

Ckruijntjens

nftable works here like charm. That’s not the problem. Yeah the “input” Table might be comes initially with nftable. So shutdown docker and configure your firewall from the very beginning. I would suggest.

KillVirus

Ckruijntjens Warning: iptables-legacy tables present, use iptables-legacy to see them

you do have a warning… check google. You might want to purge iptables. You might have problems with the mixture of the 2 firewalls: iptable and nftable.

Ckruijntjens

KillVirus

hi but i never configured the firewall on the mailcow system……..

is there an option to reset the firewall?

KillVirus

It has nothing to do with mailcow or docker. Configure your firewall on your host the right way. I’m pretty sure docker and mailcow will then work.

Ckruijntjens

KillVirus

ok can you help me with this? please? i dont know where to start. what i did was yust instal mailcow and configure domain etc etc…….

Ckruijntjens

KillVirus do i need both? iptables and nfstables

KillVirus

KillVirus You might want to purge iptables
Ckruijntjens do i need both? iptables and nftables
[ ] I read what you wrote.

For me it works to purge (remove) iptable and working only with nftable. You will find some instructions to setup a firewall on your system in the web.