nach wie vor Probleme mit Netfilter

Ganzjahresgriller

Ich habe nach wie vor das Problem das bei mir, aus welchen Gründen auch immer Netfilter nicht so richtig mag. Es kommt im Minutentakt diese Meldung: MAILCOW target is in position 2 in the ip input table, restarting container to fix it…

So sehen meine IPTABLES aus. Kann da mal bitte jemand einen Blick drauf werden?

`Chain INPUT (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
f2b-sshd tcp – anywhere anywhere multiport dports ssh

Chain FORWARD (policy DROP)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
ACCEPT tcp – anywhere 172.22.1.8 tcp dpt:https
ACCEPT tcp – anywhere 172.22.1.8 tcp dpt:http
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:submission
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:submissions
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:smtp

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all – anywhere anywhere
DROP all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain MAILCOW (2 references)
target prot opt source destination
DROP tcp – anywhere anywhere /* mailcow isolation */

Chain f2b-sshd (1 references)
target prot opt source destination
REJECT all – 219.140.143.211 anywhere reject-with icmp-port-unreachable
RETURN all – anywhere anywhere
`

henningsieh

Moin zusammen,

ich habe ein ähnliches (oder das selbe 🤔) Problem entdeckt.

Habe diese Log outputs schon beim letzten Update beobachtet, heute beim ‘Febmooary 2024 Update’ erneut die gleiche :

(Es geht mir NUR um das ...in position 2 in the ip6 forward table, restarting container to fix it...)

—
netfilter-mailcow-1> Container logs:

# Warning: table ip nat is managed by iptables-nft, do not touch!
# Warning: table ip filter is managed by iptables-nft, do not touch!
# Warning: table ip6 filter is managed by iptables-nft, do not touch!
# Warning: table ip6 nat is managed by iptables-nft, do not touch!
Using NFTables backend
Clearing all bans
Clear completed: ip
Clear completed: ip6
Initializing mailcow netfilter chain
MAILCOW ip chain created successfully.
MAILCOW ip6 chain created successfully.
Setting MAILCOW isolation
Watching Redis channel F2B_CHANNEL
Whitelist was changed, it has 1 entries
MAILCOW target is in position 2 in the ip6 forward table, restarting container to fix it...
# Warning: table ip nat is managed by iptables-nft, do not touch!
# Warning: table ip filter is managed by iptables-nft, do not touch!
# Warning: table ip6 filter is managed by iptables-nft, do not touch!
# Warning: table ip6 nat is managed by iptables-nft, do not touch!
Using NFTables backend
Clearing all bans
Clear completed: ip
Clear completed: ip6
Initializing mailcow netfilter chain
MAILCOW ip chain created successfully.
MAILCOW ip6 chain created successfully.
Setting MAILCOW isolation
Watching Redis channel F2B_CHANNEL
Whitelist was changed, it has 1 entries

I weiß bisher absolut GAR NICHTS über IP tables! 😄

Auch in den “Mailcow Admin Backend” Protokollen taucht das so auf:

Was muss ich tun?
Welche Infos braucht ihr?

Dank und VG 👋

—
This post is in Englisch (*oben) ist wohl sehr offenkundig eine Falschinformation der Forumsoftware!