Netfilter container restarting every minute with a wrong position ip input error

MooCow

After updating yesterday using the update script I started noticing a lot of duplicate IP addresses in the ban emails F2B sends me. I looked in the netfilter logs and saw that it’s showing the error MAILCOW target is in position 2 in the ip input table, restarting container to fix it... about every minute. Banning is still working but the ban only lasts for the minute the container is running then unbans when it restarts.

I found this Github post that said running these commands may help

modprobe -v ip6table_filter modprobe -v iptable_filter docker-compose restart netfilter-mailcow

but after running them the container still restarts after a minute then shows the position error again. Is this issue caused by something I have configured incorrectly?

Here’s the output of iptables -L
`Chain INPUT (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */

Chain FORWARD (policy DROP)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain DOCKER (3 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.17.0.2 tcp dpt:9001
ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
ACCEPT tcp – anywhere 172.22.1.8 tcp dpt:https
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
ACCEPT tcp – anywhere 172.22.1.8 tcp dpt:http
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:submission
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:submissions
ACCEPT tcp – anywhere 172.22.1.253 tcp dpt:smtp

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all – anywhere anywhere
DROP all – anywhere anywhere
DROP all – anywhere anywhere
RETURN all – anywhere anywhere

Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all – anywhere anywhere

Chain MAILCOW (2 references)
target prot opt source destination
DROP all – 222.74.222.0 anywhere
DROP all – 245.234.167.72.host.secureserver.net anywhere
DROP all – 141.98.11.0/24 anywhere
DROP all – 141.98.10.76 anywhere
DROP all – srv-141-98-11-112.serveroffer.net anywhere `

Curious if anyone else is experiencing this, thank you for the help!

MooCow

Ah this was my fault, apologies for thinking it was the update. I once had Crowdsec installed but ended up using something else so I uninstalled it, but not the firewall bouncer 😖 I was using the wrong iptables command (missing the -vn) and didn’t see the crowdsec bouncer sitting in the number 1 position. After removing the firewall bouncer and rebooting the netfilter container is now working correctly.

Very strange that it seemed to happen out of nowhere, as I must’ve had that bouncer installed for months after removing crowdsec but saw netfilter working correctly up until yesterday. Either way it’s now working normally and I’ll make sure to be more thorough when uninstalling packages in the future.