iptables DOCKER-USER

maybl8 · Nov 11, 2023

I would like to use this using the following command:
iptables -I DOCKER-USER -s 222.235.0.0/16 -j DROP

This works as long as I don’t reboot.
When I reboot the server I lose the iptables that was set.

Is there any way to save this so it is there after reboot?

nso · Nov 11, 2023

have you tried, if you have access to apt, iptables-persistent ?

maybl8 · Nov 11, 2023

I am on Arch and there is no such package.
I have tried some iptables on arch but it doesn’t seem to work inside the docker install.

Aaccolon · Nov 11, 2023

You can use iptables-save on Arch, see:
iptables - ArchWiki

wiki.archlinux.org

iptables - ArchWiki

GNU Free Documentation License 1.3 or later

This is a bit out of scope for mailcow, though (which is not officially supported on Arch, btw).

maybl8 · Nov 11, 2023

Thanks for that info.As far as using Arch.
This is an experiment for me and if I can help in any way to get it supported let me know.
I have been using it for a few months now without any issues.
I only have one mailbox setup but all is working fine and I have been updating Arch daily.
I am using the lts kernel.
Thanks
Dan

esackbauer · Nov 12, 2023

maybl8 to get it supported

I guess it won’t happen, because a rolling release is a nightmare for any production deployment. This is what I can say after working 35 years in large IT corporation with operations responsibility. I am not aware of a single one of our customer who would want a rolling release OS for a mail system. They even complain about the rolling releases of Office 365.

maybl8 · Nov 13, 2023

Well its my own personal mail server. Kind of a learning tool for me. So whatever happens only affects me. I have been using Arch for a few months now and no major issues with any of the systems I have installed it on. I am one of the linux users that like having the latest packages to use. I think a rolling release is the way to go for me. With Linux packages always improving every day and new features being added to them that bring them up to date with the latest technology it is the way to go. Yes it requires some attention to detail but it is not unreliable to use. I was using Debian as my last mail server and it was ok until it needed upgraded and then it was a pain to get everything working again after a major update. I was using iRedmail and that was fine until it needed updated. That was a real challenge. So I found mailcow and am learning about this docker stuff. Thanks for listening .
Take care
Dan

maybl8 · Nov 13, 2023

I installed iptables on the system outside of docker. And when I listed what rules it had I see this. It looks like the docker rules are listed.

[demo@mail ~]$ sudo iptables -nvL
[sudo] password for demo:
Chain INPUT (policy ACCEPT 22222 packets, 39M bytes)
 pkts bytes target     prot opt in     out     source               destination
22222   39M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
11813 2987K MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0
3641K 1152M DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0
3641K 1152M DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0        

    0     0 ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     0    --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
3013K 1079M ACCEPT     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
 310K   19M DOCKER     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
 318K   53M ACCEPT     0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
 296K   18M ACCEPT     0    --  br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 11326 packets, 747K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
 5938  350K ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.4           tcp dpt:443
 5981  352K ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.4           tcp dpt:80
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.5           tcp dpt:3306
  518 30312 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
  977 51240 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
  470 28460 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
    0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.13          tcp dpt:8983

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0     

 318K   53M DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0
3641K 1152M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 DROP       0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0
 318K   53M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
3641K 1152M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination

Well I added a docker-user rule . Saved it with the iptables save command . Rebooted and it isn’t there.
Back to the drawing board.

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
10380 2768K RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Well I added a docker-user rule . Saved it with the iptables save command . Rebooted and it isn’t there.
Back to the drawing board.

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
10380 2768K RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Well I added a docker-user rule . Saved it with the iptables save command . Rebooted and it isn’t there.
Back to the drawing board.

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
10380 2768K RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

maybl8 · Nov 13, 2023

Yea . Got it working. That was easier than I thought. Reading arch wiki helped.
All I needed to do was enable the iptables service and start it.
Rebooted and there it was.

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      *       222.235.0.0/16       0.0.0.0/0
  480 69295 RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0

Chain MAILCOW (2 references)
 pkts bytes target     prot opt in     out     source               destination

Thanks for the help everyone.
Now on to my next project.

Now should I replace iptables with nftables?