geoip blocking

maybl8

Can we do geoip blocking with Mailcow?

maybl8

maybl8 Or with DOCKER-USER IP Tables?

esackbauer

Not that I am aware of. I have a Sophos Firewall in front of my mailcow, this firewall can do this. And a lot more as it is a Web Application Firewall and Antivirus/Antispam MTA as well.

ETNyx

You can try to feed IP ranges into Admin -> Options -> Fail2ban -> Blacklist

maybl8

Does the Blacklist block the ip’s before it gets to postfix like iptables works?

ETNyx

Yes

maybl8

In looking at this just to block Russia it’s around 13,000 lines to add.
Probably a better solution is to have a physical firewall that can do it in front of the server.
I’m running this at home so that is kind of an expensive option.
Thanks for the info

piperino

maybl8

You could run something like the below. Given you have iptables on your host.

Create a file
block-russia.sh
add the content below.

#!/bin/bash
IP_TMP=/tmp/ip.tmp
IP_BLACKLIST=/etc/ip-blacklist.conf
IP_BLACKLIST_TEMP=/etc/ip-blacklist.temp
wget -O $IP_TMP https://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone
cat $IP_TMP | while read IP
do
/usr/sbin/iptables -A INPUT -s $IP -j DROP
echo $IP >> $IP_BLACKLIST_TEMP
done
mv $IP_BLACKLIST_TEMP $IP_BLACKLIST
rm $IP_TMP

esackbauer

maybl8 I’m running this at home so that is kind of an expensive option.

If you run it on a virtualization host you could use either the free version of Sophos Firewall or pfsense/opnsense in a virtual machine and have the benefit of having a proper firewall for the rest of the home devices as well.

maybl8

piperino Wouldn’t the iptables line need to be:
-A DOCKER-USER -s $IP -j DROP
for mailcow to use it?

piperino

maybl8

i guess you could add this to the docker chain as well.
but i think it doesn’t matter.

maybl8

Here are the commands I run now to update the blocklist.
How would I change the script to get the russia blocklist included?

[demo@mail sbin]$ sudo iptables -I DOCKER-USER -s 70.188.0.0/16 -j DROP
[sudo] password for demo:
[demo@mail sbin]$ sudo iptables-save -f /etc/iptables/iptables.rules
[demo@mail sbin]$ sudo iptables-restore /etc/iptables/iptables.rules

piperino

maybl8

The correct Chain would be “MAILCOW”. But still not sure what you trying to achieve.

Just add the script I’ve posted to the crontab and good. and don’t mess around with Mailcow Iptables chains.

maybl8

After running your script with the MAILCOW in there:

 /usr/sbin/iptables -A MAILCOW -s $IP -j DROP

I show this in the iptables.rules file:
I add some rules as I shown earlier.

# Generated by iptables-save v1.8.10 on Thu Jun 13 10:20:07 2024
*filter
:INPUT ACCEPT [602189:623797607]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [348350:38823556]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:MAILCOW - [0:0]
-A INPUT -j MAILCOW
-A FORWARD -j MAILCOW
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-mailcow -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-mailcow -j DOCKER
-A FORWARD -i br-mailcow ! -o br-mailcow -j ACCEPT
-A FORWARD -i br-mailcow -o br-mailcow -j ACCEPT
-A DOCKER -d 172.22.1.249/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 6379 -j ACCEPT
-A DOCKER -d 172.22.1.7/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.22.1.12/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.22.1.12/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.22.1.253/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 587 -j ACCEPT
-A DOCKER -d 172.22.1.253/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 465 -j ACCEPT
-A DOCKER -d 172.22.1.253/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 25 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 12345 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 4190 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 995 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 993 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 143 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 110 -j ACCEPT
-A DOCKER -d 172.22.1.13/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 8983 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-mailcow ! -o br-mailcow -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-mailcow -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -s 1.28.0.0/16 -j DROP
-A DOCKER-USER -s 1.235.0.0/16 -j DROP
-A DOCKER-USER -s 1.252.0.0/16 -j DROP
-A DOCKER-USER -s 2.40.0.0/16 -j DROP
-A DOCKER-USER -s 2.55.0.0/16 -j DROP
-A DOCKER-USER -s 3.75.0.0/16 -j DROP
-A DOCKER-USER -s 4.158.0.0/16 -j DROP
-A DOCKER-USER -s 5.26.0.0/16 -j DROP
-A DOCKER-USER -s 5.42.0.0/16 -j DROP
-A DOCKER-USER -s 13.38.0.0/16 -j DROP
-A DOCKER-USER -s 14.162.0.0/16 -j DROP
-A DOCKER-USER -s 20.84.0.0/16 -j DROP
-A DOCKER-USER -s 20.161.0.0/16 -j DROP
-A DOCKER-USER -s 20.206.0.0/16 -j DROP
-A DOCKER-USER -s 20.210.0.0/16 -j DROP
-A DOCKER-USER -s 24.49.0.0/16 -j DROP
-A DOCKER-USER -s 24.97.0.0/16 -j DROP
-A DOCKER-USER -s 27.100.0.0/16 -j DROP
-A DOCKER-USER -s 31.173.0.0/16 -j DROP
-A DOCKER-USER -s 36.32.0.0/16 -j DROP
-A DOCKER-USER -s 39.46.0.0/16 -j DROP
-A DOCKER-USER -s 41.93.0.0/16 -j DROP
-A DOCKER-USER -s 41.207.0.0/16 -j DROP
-A DOCKER-USER -s 41.214.0.0/16 -j DROP
-A DOCKER-USER -s 42.99.0.0/16 -j DROP
-A DOCKER-USER -s 45.229.0.0/16 -j DROP
-A DOCKER-USER -s 50.74.0.0/16 -j DROP
-A DOCKER-USER -s 51.195.0.0/16 -j DROP
-A DOCKER-USER -s 52.170.0.0/16 -j DROP
-A DOCKER-USER -s 58.58.0.0/16 -j DROP
-A DOCKER-USER -s 58.225.0.0/16 -j DROP
-A DOCKER-USER -s 59.9.0.0/16 -j DROP
-A DOCKER-USER -s 60.16.0.0/16 -j DROP
-A DOCKER-USER -s 60.166.0.0/16 -j DROP
-A DOCKER-USER -s 61.51.0.0/16 -j DROP
-A DOCKER-USER -s 61.81.0.0/16 -j DROP
-A DOCKER-USER -s 61.85.0.0/16 -j DROP
-A DOCKER-USER -s 61.134.0.0/16 -j DROP
-A DOCKER-USER -s 61.153.0.0/16 -j DROP
-A DOCKER-USER -s 61.190.0.0/16 -j DROP
-A DOCKER-USER -s 67.53.0.0/16 -j DROP
-A DOCKER-USER -s 67.60.0.0/16 -j DROP
-A DOCKER-USER -s 68.82.0.0/16 -j DROP
-A DOCKER-USER -s 68.175.0.0/16 -j DROP
-A DOCKER-USER -s 68.183.0.0/16 -j DROP
-A DOCKER-USER -s 70.188.0.0/16 -j DROP
-A DOCKER-USER -s 73.12.0.0/16 -j DROP
-A DOCKER-USER -s 76.9.0.0/16 -j DROP
-A DOCKER-USER -s 76.176.0.0/16 -j DROP
-A DOCKER-USER -s 78.153.0.0/16 -j DROP
-A DOCKER-USER -s 78.186.0.0/16 -j DROP
-A DOCKER-USER -s 80.72.0.0/16 -j DROP
-A DOCKER-USER -s 80.233.0.0/16 -j DROP
-A DOCKER-USER -s 81.70.0.0/16 -j DROP
-A DOCKER-USER -s 81.94.0.0/16 -j DROP
-A DOCKER-USER -s 81.225.0.0/16 -j DROP
-A DOCKER-USER -s 82.223.0.0/16 -j DROP
-A DOCKER-USER -s 84.238.0.0/16 -j DROP
-A DOCKER-USER -s 87.120.0.0/16 -j DROP
-A DOCKER-USER -s 91.138.0.0/16 -j DROP
-A DOCKER-USER -s 91.215.0.0/16 -j DROP
-A DOCKER-USER -s 91.218.0.0/16 -j DROP
-A DOCKER-USER -s 94.65.0.0/16 -j DROP
-A DOCKER-USER -s 94.156.0.0/16 -j DROP
-A DOCKER-USER -s 98.49.0.0/16 -j DROP
-A DOCKER-USER -s 103.149.0.0/16 -j DROP
-A DOCKER-USER -s 103.186.0.0/16 -j DROP
-A DOCKER-USER -s 104.33.0.0/16 -j DROP
-A DOCKER-USER -s 105.73.0.0/16 -j DROP
-A DOCKER-USER -s 109.107.0.0/16 -j DROP
-A DOCKER-USER -s 109.206.0.0/16 -j DROP
-A DOCKER-USER -s 110.73.0.0/16 -j DROP
-A DOCKER-USER -s 111.70.0.0/16 -j DROP
-A DOCKER-USER -s 112.27.0.0/16 -j DROP
-A DOCKER-USER -s 112.86.0.0/16 -j DROP
-A DOCKER-USER -s 112.194.0.0/16 -j DROP
-A DOCKER-USER -s 113.160.0.0/16 -j DROP
-A DOCKER-USER -s 113.193.0.0/16 -j DROP
-A DOCKER-USER -s 115.238.0.0/16 -j DROP
-A DOCKER-USER -s 116.131.0.0/16 -j DROP
-A DOCKER-USER -s 117.50.0.0/16 -j DROP
-A DOCKER-USER -s 118.26.0.0/16 -j DROP
-A DOCKER-USER -s 119.67.0.0/16 -j DROP
-A DOCKER-USER -s 121.12.0.0/16 -j DROP
-A DOCKER-USER -s 121.22.0.0/16 -j DROP
-A DOCKER-USER -s 121.132.0.0/16 -j DROP
-A DOCKER-USER -s 121.202.0.0/16 -j DROP
-A DOCKER-USER -s 122.224.0.0/16 -j DROP
-A DOCKER-USER -s 123.115.0.0/16 -j DROP
-A DOCKER-USER -s 123.209.0.0/16 -j DROP
-A DOCKER-USER -s 124.221.0.0/16 -j DROP
-A DOCKER-USER -s 125.19.0.0/16 -j DROP
-A DOCKER-USER -s 125.71.0.0/16 -j DROP
-A DOCKER-USER -s 125.72.0.0/16 -j DROP
-A DOCKER-USER -s 129.205.0.0/16 -j DROP
-A DOCKER-USER -s 136.158.0.0/16 -j DROP
-A DOCKER-USER -s 139.162.0.0/16 -j DROP
-A DOCKER-USER -s 141.98.0.0/16 -j DROP
-A DOCKER-USER -s 141.101.0.0/16 -j DROP
-A DOCKER-USER -s 144.48.0.0/16 -j DROP
-A DOCKER-USER -s 147.50.0.0/16 -j DROP
-A DOCKER-USER -s 147.235.0.0/16 -j DROP
-A DOCKER-USER -s 148.3.0.0/16 -j DROP
-A DOCKER-USER -s 148.255.0.0/16 -j DROP
-A DOCKER-USER -s 150.109.0.0/16 -j DROP
-A DOCKER-USER -s 157.230.0.0/16 -j DROP
-A DOCKER-USER -s 162.158.0.0/16 -j DROP
-A DOCKER-USER -s 164.52.0.0/16 -j DROP
-A DOCKER-USER -s 165.227.0.0/16 -j DROP
-A DOCKER-USER -s 166.140.0.0/16 -j DROP
-A DOCKER-USER -s 166.148.0.0/16 -j DROP
-A DOCKER-USER -s 166.180.0.0/16 -j DROP
-A DOCKER-USER -s 172.58.0.0/16 -j DROP
-A DOCKER-USER -s 172.68.0.0/16 -j DROP
-A DOCKER-USER -s 172.245.0.0/16 -j DROP
-A DOCKER-USER -s 175.120.0.0/16 -j DROP
-A DOCKER-USER -s 175.139.0.0/16 -j DROP
-A DOCKER-USER -s 176.9.0.0/16 -j DROP
-A DOCKER-USER -s 176.31.0.0/16 -j DROP
-A DOCKER-USER -s 176.111.0.0/16 -j DROP
-A DOCKER-USER -s 176.194.0.0/16 -j DROP
-A DOCKER-USER -s 177.72.0.0/16 -j DROP
-A DOCKER-USER -s 178.176.0.0/16 -j DROP
-A DOCKER-USER -s 180.232.0.0/16 -j DROP
-A DOCKER-USER -s 181.67.0.0/16 -j DROP
-A DOCKER-USER -s 182.76.0.0/16 -j DROP
-A DOCKER-USER -s 183.108.0.0/16 -j DROP
-A DOCKER-USER -s 183.230.0.0/16 -j DROP
-A DOCKER-USER -s 183.245.0.0/16 -j DROP
-A DOCKER-USER -s 184.105.0.0/16 -j DROP
-A DOCKER-USER -s 185.142.0.0/16 -j DROP
-A DOCKER-USER -s 185.147.0.0/16 -j DROP
-A DOCKER-USER -s 185.149.0.0/16 -j DROP
-A DOCKER-USER -s 185.165.0.0/16 -j DROP
-A DOCKER-USER -s 185.206.0.0/16 -j DROP
-A DOCKER-USER -s 185.241.0.0/16 -j DROP
-A DOCKER-USER -s 188.255.0.0/16 -j DROP
-A DOCKER-USER -s 189.56.0.0/16 -j DROP
-A DOCKER-USER -s 192.52.0.0/16 -j DROP
-A DOCKER-USER -s 192.109.0.0/16 -j DROP
-A DOCKER-USER -s 192.210.0.0/16 -j DROP
-A DOCKER-USER -s 193.37.0.0/16 -j DROP
-A DOCKER-USER -s 194.26.0.0/16 -j DROP
-A DOCKER-USER -s 194.164.0.0/16 -j DROP
-A DOCKER-USER -s 195.97.0.0/16 -j DROP
-A DOCKER-USER -s 195.158.0.0/16 -j DROP
-A DOCKER-USER -s 195.218.0.0/16 -j DROP
-A DOCKER-USER -s 195.239.0.0/16 -j DROP
-A DOCKER-USER -s 197.255.0.0/16 -j DROP
-A DOCKER-USER -s 198.235.0.0/16 -j DROP
-A DOCKER-USER -s 200.35.0.0/16 -j DROP
-A DOCKER-USER -s 200.232.0.0/16 -j DROP
-A DOCKER-USER -s 205.210.0.0/16 -j DROP
-A DOCKER-USER -s 207.90.0.0/16 -j DROP
-A DOCKER-USER -s 208.105.0.0/16 -j DROP
-A DOCKER-USER -s 211.178.0.0/16 -j DROP
-A DOCKER-USER -s 216.59.0.0/16 -j DROP
-A DOCKER-USER -s 213.134.0.0/16 -j DROP
-A DOCKER-USER -s 217.210.0.0/16 -j DROP
-A DOCKER-USER -s 218.22.0.0/16 -j DROP
-A DOCKER-USER -s 218.25.0.0/16 -j DROP
-A DOCKER-USER -s 218.39.0.0/16 -j DROP
-A DOCKER-USER -s 218.59.0.0/16 -j DROP
-A DOCKER-USER -s 218.76.0.0/16 -j DROP
-A DOCKER-USER -s 219.76.0.0/16 -j DROP
-A DOCKER-USER -s 220.170.0.0/16 -j DROP
-A DOCKER-USER -s 221.130.0.0/16 -j DROP
-A DOCKER-USER -s 221.226.0.0/16 -j DROP
-A DOCKER-USER -s 222.185.0.0/16 -j DROP
-A DOCKER-USER -s 222.235.0.0/16 -j DROP
-A DOCKER-USER -j RETURN
-A MAILCOW ! -i br-mailcow -o br-mailcow -p tcp -m multiport --dports 3306,6379,8983,12345 -j DROP
COMMIT
# Completed on Thu Jun 13 10:20:07 2024
# Generated by iptables-save v1.8.10 on Thu Jun 13 10:20:07 2024
*nat
:PREROUTING ACCEPT [263139:18708440]
:INPUT ACCEPT [10589:1905339]
:OUTPUT ACCEPT [10910:1612730]
:POSTROUTING ACCEPT [187043:12469308]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.22.1.0/24 ! -o br-mailcow -j MASQUERADE
-A POSTROUTING -s 172.22.1.2/32 -d 172.22.1.2/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.1.2/32 -d 172.22.1.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.22.1.2/32 -d 172.22.1.2/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.22.1.6/32 -d 172.22.1.6/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.1.6/32 -d 172.22.1.6/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.22.1.7/32 -d 172.22.1.7/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.22.1.9/32 -d 172.22.1.9/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.1.9/32 -d 172.22.1.9/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.22.1.13/32 -d 172.22.1.13/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.22.1.3/32 -d 172.22.1.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.1.3/32 -d 172.22.1.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.22.1.5/32 -d 172.22.1.5/32 -p tcp -m tcp --dport 8983 -j MASQUERADE
-A POSTROUTING -s 172.22.1.8/32 -d 172.22.1.8/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.1.8/32 -d 172.22.1.8/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.22.1.2/32 -d 172.22.1.2/32 -p tcp -m tcp --dport 8983 -j MASQUERADE
-A POSTROUTING -s 172.22.1.11/32 -d 172.22.1.11/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.22.1.5/32 -d 172.22.1.5/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.1.5/32 -d 172.22.1.5/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.22.1.10/32 -d 172.22.1.10/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.22.1.8/32 -d 172.22.1.8/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.22.1.10/32 -d 172.22.1.10/32 -p tcp -m tcp --dport 8983 -j MASQUERADE
-A POSTROUTING -s 172.22.1.12/32 -d 172.22.1.12/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.22.1.249/32 -d 172.22.1.249/32 -p tcp -m tcp --dport 6379 -j MASQUERADE
-A POSTROUTING -s 172.22.1.6/32 -d 172.22.1.6/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 12345 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 4190 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 995 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 993 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 143 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 110 -j MASQUERADE
-A POSTROUTING -s 172.22.1.253/32 -d 172.22.1.253/32 -p tcp -m tcp --dport 587 -j MASQUERADE
-A POSTROUTING -s 172.22.1.253/32 -d 172.22.1.253/32 -p tcp -m tcp --dport 465 -j MASQUERADE
-A POSTROUTING -s 172.22.1.253/32 -d 172.22.1.253/32 -p tcp -m tcp --dport 25 -j MASQUERADE
-A POSTROUTING -s 172.22.1.13/32 -d 172.22.1.13/32 -p tcp -m tcp --dport 8983 -j MASQUERADE
-A POSTROUTING -s 172.22.1.4/32 -d 172.22.1.4/32 -p tcp -m tcp --dport 8983 -j MASQUERADE
-A POSTROUTING -s 172.22.1.10/32 -d 172.22.1.10/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.1.10/32 -d 172.22.1.10/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.22.1.12/32 -d 172.22.1.12/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.1.12/32 -d 172.22.1.12/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-mailcow -j RETURN
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 7654 -j DNAT --to-destination 172.22.1.249:6379
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 13306 -j DNAT --to-destination 172.22.1.7:3306
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.22.1.12:443
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.22.1.12:80
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 587 -j DNAT --to-destination 172.22.1.253:587
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 465 -j DNAT --to-destination 172.22.1.253:465
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.22.1.253:25
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 19991 -j DNAT --to-destination 172.22.1.250:12345
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 4190 -j DNAT --to-destination 172.22.1.250:4190
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 995 -j DNAT --to-destination 172.22.1.250:995
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 993 -j DNAT --to-destination 172.22.1.250:993
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 143 -j DNAT --to-destination 172.22.1.250:143
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 110 -j DNAT --to-destination 172.22.1.250:110
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 18983 -j DNAT --to-destination 172.22.1.13:8983
COMMIT
# Completed on Thu Jun 13 10:20:07 2024
# Generated by iptables-save v1.8.10 on Thu Jun 13 10:20:07 2024
*mangle
:PREROUTING ACCEPT [2854541:1379283016]
:INPUT ACCEPT [602189:623797607]
:FORWARD ACCEPT [2252817:755513309]
:OUTPUT ACCEPT [348350:38823556]
:POSTROUTING ACCEPT [2600268:794081982]
COMMIT
# Completed on Thu Jun 13 10:20:07 2024
# Generated by iptables-save v1.8.10 on Thu Jun 13 10:20:07 2024
*raw
:PREROUTING ACCEPT [2854541:1379283016]
:OUTPUT ACCEPT [348350:38823556]
COMMIT
# Completed on Thu Jun 13 10:20:07 2024
# Generated by iptables-save v1.8.10 on Thu Jun 13 10:20:07 2024
*security
:INPUT ACCEPT [602189:623797607]
:FORWARD ACCEPT [2251918:755258426]
:OUTPUT ACCEPT [348350:38823556]
COMMIT
# Completed on Thu Jun 13 10:20:07 2024

maybl8

OK I looked at the iptables.rules file and after running those commands with 3 different setting they were all in there duplicated.
I had the Russia IP’s in there under INPUT DOCKER-USER and MAILCOW.
I didn’t know I was appending the file.
I have cleaned it up and just left INPUT.
Of these 3 which is preferred or does it even matter?
What I was trying to do is stop the bad actors from even getting to my mailserver with using iptables.
I don’t need mail from allot of countries like Russia , China , etc.

maddler

just a quick note, it might make more sense to add those IPs via ipset, it will considerably reduce the number of iptables rules and improving the performances considering you’d be looking at thoisands of entries here.

piperino

maddler
you’re right, on a very busy server you might have performance issues.

@maybl8
you might want to look at this ipset script.
Just tried it. seems it works very well.

maybl8

Are you using this inside or outside of the mailcow container?

piperino

maybl8
outside of the mailcow container. on host level.