Can we do geoip blocking with Mailcow?

    Have something to say?

    Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

    Not that I am aware of. I have a Sophos Firewall in front of my mailcow, this firewall can do this. And a lot more as it is a Web Application Firewall and Antivirus/Antispam MTA as well.

    You can try to feed IP ranges into Admin -> Options -> Fail2ban -> Blacklist

    Does the Blacklist block the ip’s before it gets to postfix like iptables works?

    In looking at this just to block Russia it’s around 13,000 lines to add.
    Probably a better solution is to have a physical firewall that can do it in front of the server.
    I’m running this at home so that is kind of an expensive option.
    Thanks for the info

      maybl8

      You could run something like the below. Given you have iptables on your host.

      Create a file
      block-russia.sh
      add the content below.

      #!/bin/bash
IP_TMP=/tmp/ip.tmp
IP_BLACKLIST=/etc/ip-blacklist.conf
IP_BLACKLIST_TEMP=/etc/ip-blacklist.temp
wget -O $IP_TMP https://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone
cat $IP_TMP | while read IP
do
/usr/sbin/iptables -A INPUT -s $IP -j DROP
echo $IP >> $IP_BLACKLIST_TEMP
done
mv $IP_BLACKLIST_TEMP $IP_BLACKLIST
rm $IP_TMP

          piperino Wouldn’t the iptables line need to be:
          -A DOCKER-USER -s $IP -j DROP
          for mailcow to use it?

              maybl8

              i guess you could add this to the docker chain as well.
              but i think it doesn’t matter.

                maybl8 I’m running this at home so that is kind of an expensive option.

                If you run it on a virtualization host you could use either the free version of Sophos Firewall or pfsense/opnsense in a virtual machine and have the benefit of having a proper firewall for the rest of the home devices as well.

                  Here are the commands I run now to update the blocklist.
                  How would I change the script to get the russia blocklist included?

                  [demo@mail sbin]$ sudo iptables -I DOCKER-USER -s 70.188.0.0/16 -j DROP
[sudo] password for demo:
[demo@mail sbin]$ sudo iptables-save -f /etc/iptables/iptables.rules
[demo@mail sbin]$ sudo iptables-restore /etc/iptables/iptables.rules

                    maybl8

                    The correct Chain would be “MAILCOW”. But still not sure what you trying to achieve.

                    Just add the script I’ve posted to the crontab and good. and don’t mess around with Mailcow Iptables chains.

                      After running your script with the MAILCOW in there:

                       /usr/sbin/iptables -A MAILCOW -s $IP -j DROP

                      I show this in the iptables.rules file:
                      I add some rules as I shown earlier.

                      # Generated by iptables-save v1.8.10 on Thu Jun 13 10:20:07 2024
*filter
:INPUT ACCEPT [602189:623797607]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [348350:38823556]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:MAILCOW - [0:0]
-A INPUT -j MAILCOW
-A FORWARD -j MAILCOW
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-mailcow -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-mailcow -j DOCKER
-A FORWARD -i br-mailcow ! -o br-mailcow -j ACCEPT
-A FORWARD -i br-mailcow -o br-mailcow -j ACCEPT
-A DOCKER -d 172.22.1.249/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 6379 -j ACCEPT
-A DOCKER -d 172.22.1.7/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 3306 -j ACCEPT
-A DOCKER -d 172.22.1.12/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 443 -j ACCEPT
-A DOCKER -d 172.22.1.12/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 80 -j ACCEPT
-A DOCKER -d 172.22.1.253/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 587 -j ACCEPT
-A DOCKER -d 172.22.1.253/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 465 -j ACCEPT
-A DOCKER -d 172.22.1.253/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 25 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 12345 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 4190 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 995 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 993 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 143 -j ACCEPT
-A DOCKER -d 172.22.1.250/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 110 -j ACCEPT
-A DOCKER -d 172.22.1.13/32 ! -i br-mailcow -o br-mailcow -p tcp -m tcp --dport 8983 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-mailcow ! -o br-mailcow -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-mailcow -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -s 1.28.0.0/16 -j DROP
-A DOCKER-USER -s 1.235.0.0/16 -j DROP
-A DOCKER-USER -s 1.252.0.0/16 -j DROP
-A DOCKER-USER -s 2.40.0.0/16 -j DROP
-A DOCKER-USER -s 2.55.0.0/16 -j DROP
-A DOCKER-USER -s 3.75.0.0/16 -j DROP
-A DOCKER-USER -s 4.158.0.0/16 -j DROP
-A DOCKER-USER -s 5.26.0.0/16 -j DROP
-A DOCKER-USER -s 5.42.0.0/16 -j DROP
-A DOCKER-USER -s 13.38.0.0/16 -j DROP
-A DOCKER-USER -s 14.162.0.0/16 -j DROP
-A DOCKER-USER -s 20.84.0.0/16 -j DROP
-A DOCKER-USER -s 20.161.0.0/16 -j DROP
-A DOCKER-USER -s 20.206.0.0/16 -j DROP
-A DOCKER-USER -s 20.210.0.0/16 -j DROP
-A DOCKER-USER -s 24.49.0.0/16 -j DROP
-A DOCKER-USER -s 24.97.0.0/16 -j DROP
-A DOCKER-USER -s 27.100.0.0/16 -j DROP
-A DOCKER-USER -s 31.173.0.0/16 -j DROP
-A DOCKER-USER -s 36.32.0.0/16 -j DROP
-A DOCKER-USER -s 39.46.0.0/16 -j DROP
-A DOCKER-USER -s 41.93.0.0/16 -j DROP
-A DOCKER-USER -s 41.207.0.0/16 -j DROP
-A DOCKER-USER -s 41.214.0.0/16 -j DROP
-A DOCKER-USER -s 42.99.0.0/16 -j DROP
-A DOCKER-USER -s 45.229.0.0/16 -j DROP
-A DOCKER-USER -s 50.74.0.0/16 -j DROP
-A DOCKER-USER -s 51.195.0.0/16 -j DROP
-A DOCKER-USER -s 52.170.0.0/16 -j DROP
-A DOCKER-USER -s 58.58.0.0/16 -j DROP
-A DOCKER-USER -s 58.225.0.0/16 -j DROP
-A DOCKER-USER -s 59.9.0.0/16 -j DROP
-A DOCKER-USER -s 60.16.0.0/16 -j DROP
-A DOCKER-USER -s 60.166.0.0/16 -j DROP
-A DOCKER-USER -s 61.51.0.0/16 -j DROP
-A DOCKER-USER -s 61.81.0.0/16 -j DROP
-A DOCKER-USER -s 61.85.0.0/16 -j DROP
-A DOCKER-USER -s 61.134.0.0/16 -j DROP
-A DOCKER-USER -s 61.153.0.0/16 -j DROP
-A DOCKER-USER -s 61.190.0.0/16 -j DROP
-A DOCKER-USER -s 67.53.0.0/16 -j DROP
-A DOCKER-USER -s 67.60.0.0/16 -j DROP
-A DOCKER-USER -s 68.82.0.0/16 -j DROP
-A DOCKER-USER -s 68.175.0.0/16 -j DROP
-A DOCKER-USER -s 68.183.0.0/16 -j DROP
-A DOCKER-USER -s 70.188.0.0/16 -j DROP
-A DOCKER-USER -s 73.12.0.0/16 -j DROP
-A DOCKER-USER -s 76.9.0.0/16 -j DROP
-A DOCKER-USER -s 76.176.0.0/16 -j DROP
-A DOCKER-USER -s 78.153.0.0/16 -j DROP
-A DOCKER-USER -s 78.186.0.0/16 -j DROP
-A DOCKER-USER -s 80.72.0.0/16 -j DROP
-A DOCKER-USER -s 80.233.0.0/16 -j DROP
-A DOCKER-USER -s 81.70.0.0/16 -j DROP
-A DOCKER-USER -s 81.94.0.0/16 -j DROP
-A DOCKER-USER -s 81.225.0.0/16 -j DROP
-A DOCKER-USER -s 82.223.0.0/16 -j DROP
-A DOCKER-USER -s 84.238.0.0/16 -j DROP
-A DOCKER-USER -s 87.120.0.0/16 -j DROP
-A DOCKER-USER -s 91.138.0.0/16 -j DROP
-A DOCKER-USER -s 91.215.0.0/16 -j DROP
-A DOCKER-USER -s 91.218.0.0/16 -j DROP
-A DOCKER-USER -s 94.65.0.0/16 -j DROP
-A DOCKER-USER -s 94.156.0.0/16 -j DROP
-A DOCKER-USER -s 98.49.0.0/16 -j DROP
-A DOCKER-USER -s 103.149.0.0/16 -j DROP
-A DOCKER-USER -s 103.186.0.0/16 -j DROP
-A DOCKER-USER -s 104.33.0.0/16 -j DROP
-A DOCKER-USER -s 105.73.0.0/16 -j DROP
-A DOCKER-USER -s 109.107.0.0/16 -j DROP
-A DOCKER-USER -s 109.206.0.0/16 -j DROP
-A DOCKER-USER -s 110.73.0.0/16 -j DROP
-A DOCKER-USER -s 111.70.0.0/16 -j DROP
-A DOCKER-USER -s 112.27.0.0/16 -j DROP
-A DOCKER-USER -s 112.86.0.0/16 -j DROP
-A DOCKER-USER -s 112.194.0.0/16 -j DROP
-A DOCKER-USER -s 113.160.0.0/16 -j DROP
-A DOCKER-USER -s 113.193.0.0/16 -j DROP
-A DOCKER-USER -s 115.238.0.0/16 -j DROP
-A DOCKER-USER -s 116.131.0.0/16 -j DROP
-A DOCKER-USER -s 117.50.0.0/16 -j DROP
-A DOCKER-USER -s 118.26.0.0/16 -j DROP
-A DOCKER-USER -s 119.67.0.0/16 -j DROP
-A DOCKER-USER -s 121.12.0.0/16 -j DROP
-A DOCKER-USER -s 121.22.0.0/16 -j DROP
-A DOCKER-USER -s 121.132.0.0/16 -j DROP
-A DOCKER-USER -s 121.202.0.0/16 -j DROP
-A DOCKER-USER -s 122.224.0.0/16 -j DROP
-A DOCKER-USER -s 123.115.0.0/16 -j DROP
-A DOCKER-USER -s 123.209.0.0/16 -j DROP
-A DOCKER-USER -s 124.221.0.0/16 -j DROP
-A DOCKER-USER -s 125.19.0.0/16 -j DROP
-A DOCKER-USER -s 125.71.0.0/16 -j DROP
-A DOCKER-USER -s 125.72.0.0/16 -j DROP
-A DOCKER-USER -s 129.205.0.0/16 -j DROP
-A DOCKER-USER -s 136.158.0.0/16 -j DROP
-A DOCKER-USER -s 139.162.0.0/16 -j DROP
-A DOCKER-USER -s 141.98.0.0/16 -j DROP
-A DOCKER-USER -s 141.101.0.0/16 -j DROP
-A DOCKER-USER -s 144.48.0.0/16 -j DROP
-A DOCKER-USER -s 147.50.0.0/16 -j DROP
-A DOCKER-USER -s 147.235.0.0/16 -j DROP
-A DOCKER-USER -s 148.3.0.0/16 -j DROP
-A DOCKER-USER -s 148.255.0.0/16 -j DROP
-A DOCKER-USER -s 150.109.0.0/16 -j DROP
-A DOCKER-USER -s 157.230.0.0/16 -j DROP
-A DOCKER-USER -s 162.158.0.0/16 -j DROP
-A DOCKER-USER -s 164.52.0.0/16 -j DROP
-A DOCKER-USER -s 165.227.0.0/16 -j DROP
-A DOCKER-USER -s 166.140.0.0/16 -j DROP
-A DOCKER-USER -s 166.148.0.0/16 -j DROP
-A DOCKER-USER -s 166.180.0.0/16 -j DROP
-A DOCKER-USER -s 172.58.0.0/16 -j DROP
-A DOCKER-USER -s 172.68.0.0/16 -j DROP
-A DOCKER-USER -s 172.245.0.0/16 -j DROP
-A DOCKER-USER -s 175.120.0.0/16 -j DROP
-A DOCKER-USER -s 175.139.0.0/16 -j DROP
-A DOCKER-USER -s 176.9.0.0/16 -j DROP
-A DOCKER-USER -s 176.31.0.0/16 -j DROP
-A DOCKER-USER -s 176.111.0.0/16 -j DROP
-A DOCKER-USER -s 176.194.0.0/16 -j DROP
-A DOCKER-USER -s 177.72.0.0/16 -j DROP
-A DOCKER-USER -s 178.176.0.0/16 -j DROP
-A DOCKER-USER -s 180.232.0.0/16 -j DROP
-A DOCKER-USER -s 181.67.0.0/16 -j DROP
-A DOCKER-USER -s 182.76.0.0/16 -j DROP
-A DOCKER-USER -s 183.108.0.0/16 -j DROP
-A DOCKER-USER -s 183.230.0.0/16 -j DROP
-A DOCKER-USER -s 183.245.0.0/16 -j DROP
-A DOCKER-USER -s 184.105.0.0/16 -j DROP
-A DOCKER-USER -s 185.142.0.0/16 -j DROP
-A DOCKER-USER -s 185.147.0.0/16 -j DROP
-A DOCKER-USER -s 185.149.0.0/16 -j DROP
-A DOCKER-USER -s 185.165.0.0/16 -j DROP
-A DOCKER-USER -s 185.206.0.0/16 -j DROP
-A DOCKER-USER -s 185.241.0.0/16 -j DROP
-A DOCKER-USER -s 188.255.0.0/16 -j DROP
-A DOCKER-USER -s 189.56.0.0/16 -j DROP
-A DOCKER-USER -s 192.52.0.0/16 -j DROP
-A DOCKER-USER -s 192.109.0.0/16 -j DROP
-A DOCKER-USER -s 192.210.0.0/16 -j DROP
-A DOCKER-USER -s 193.37.0.0/16 -j DROP
-A DOCKER-USER -s 194.26.0.0/16 -j DROP
-A DOCKER-USER -s 194.164.0.0/16 -j DROP
-A DOCKER-USER -s 195.97.0.0/16 -j DROP
-A DOCKER-USER -s 195.158.0.0/16 -j DROP
-A DOCKER-USER -s 195.218.0.0/16 -j DROP
-A DOCKER-USER -s 195.239.0.0/16 -j DROP
-A DOCKER-USER -s 197.255.0.0/16 -j DROP
-A DOCKER-USER -s 198.235.0.0/16 -j DROP
-A DOCKER-USER -s 200.35.0.0/16 -j DROP
-A DOCKER-USER -s 200.232.0.0/16 -j DROP
-A DOCKER-USER -s 205.210.0.0/16 -j DROP
-A DOCKER-USER -s 207.90.0.0/16 -j DROP
-A DOCKER-USER -s 208.105.0.0/16 -j DROP
-A DOCKER-USER -s 211.178.0.0/16 -j DROP
-A DOCKER-USER -s 216.59.0.0/16 -j DROP
-A DOCKER-USER -s 213.134.0.0/16 -j DROP
-A DOCKER-USER -s 217.210.0.0/16 -j DROP
-A DOCKER-USER -s 218.22.0.0/16 -j DROP
-A DOCKER-USER -s 218.25.0.0/16 -j DROP
-A DOCKER-USER -s 218.39.0.0/16 -j DROP
-A DOCKER-USER -s 218.59.0.0/16 -j DROP
-A DOCKER-USER -s 218.76.0.0/16 -j DROP
-A DOCKER-USER -s 219.76.0.0/16 -j DROP
-A DOCKER-USER -s 220.170.0.0/16 -j DROP
-A DOCKER-USER -s 221.130.0.0/16 -j DROP
-A DOCKER-USER -s 221.226.0.0/16 -j DROP
-A DOCKER-USER -s 222.185.0.0/16 -j DROP
-A DOCKER-USER -s 222.235.0.0/16 -j DROP
-A DOCKER-USER -j RETURN
-A MAILCOW ! -i br-mailcow -o br-mailcow -p tcp -m multiport --dports 3306,6379,8983,12345 -j DROP
COMMIT
# Completed on Thu Jun 13 10:20:07 2024
# Generated by iptables-save v1.8.10 on Thu Jun 13 10:20:07 2024
*nat
:PREROUTING ACCEPT [263139:18708440]
:INPUT ACCEPT [10589:1905339]
:OUTPUT ACCEPT [10910:1612730]
:POSTROUTING ACCEPT [187043:12469308]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.22.1.0/24 ! -o br-mailcow -j MASQUERADE
-A POSTROUTING -s 172.22.1.2/32 -d 172.22.1.2/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.1.2/32 -d 172.22.1.2/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.22.1.2/32 -d 172.22.1.2/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.22.1.6/32 -d 172.22.1.6/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.1.6/32 -d 172.22.1.6/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.22.1.7/32 -d 172.22.1.7/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.22.1.9/32 -d 172.22.1.9/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.1.9/32 -d 172.22.1.9/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.22.1.13/32 -d 172.22.1.13/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.22.1.3/32 -d 172.22.1.3/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.1.3/32 -d 172.22.1.3/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.22.1.5/32 -d 172.22.1.5/32 -p tcp -m tcp --dport 8983 -j MASQUERADE
-A POSTROUTING -s 172.22.1.8/32 -d 172.22.1.8/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.1.8/32 -d 172.22.1.8/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.22.1.2/32 -d 172.22.1.2/32 -p tcp -m tcp --dport 8983 -j MASQUERADE
-A POSTROUTING -s 172.22.1.11/32 -d 172.22.1.11/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.22.1.5/32 -d 172.22.1.5/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.1.5/32 -d 172.22.1.5/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.22.1.10/32 -d 172.22.1.10/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.22.1.8/32 -d 172.22.1.8/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.22.1.10/32 -d 172.22.1.10/32 -p tcp -m tcp --dport 8983 -j MASQUERADE
-A POSTROUTING -s 172.22.1.12/32 -d 172.22.1.12/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.22.1.249/32 -d 172.22.1.249/32 -p tcp -m tcp --dport 6379 -j MASQUERADE
-A POSTROUTING -s 172.22.1.6/32 -d 172.22.1.6/32 -p tcp -m tcp --dport 3306 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 12345 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 4190 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 995 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 993 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 143 -j MASQUERADE
-A POSTROUTING -s 172.22.1.250/32 -d 172.22.1.250/32 -p tcp -m tcp --dport 110 -j MASQUERADE
-A POSTROUTING -s 172.22.1.253/32 -d 172.22.1.253/32 -p tcp -m tcp --dport 587 -j MASQUERADE
-A POSTROUTING -s 172.22.1.253/32 -d 172.22.1.253/32 -p tcp -m tcp --dport 465 -j MASQUERADE
-A POSTROUTING -s 172.22.1.253/32 -d 172.22.1.253/32 -p tcp -m tcp --dport 25 -j MASQUERADE
-A POSTROUTING -s 172.22.1.13/32 -d 172.22.1.13/32 -p tcp -m tcp --dport 8983 -j MASQUERADE
-A POSTROUTING -s 172.22.1.4/32 -d 172.22.1.4/32 -p tcp -m tcp --dport 8983 -j MASQUERADE
-A POSTROUTING -s 172.22.1.10/32 -d 172.22.1.10/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.1.10/32 -d 172.22.1.10/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A POSTROUTING -s 172.22.1.12/32 -d 172.22.1.12/32 -p tcp -m tcp --dport 443 -j MASQUERADE
-A POSTROUTING -s 172.22.1.12/32 -d 172.22.1.12/32 -p tcp -m tcp --dport 80 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -i br-mailcow -j RETURN
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 7654 -j DNAT --to-destination 172.22.1.249:6379
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 13306 -j DNAT --to-destination 172.22.1.7:3306
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 443 -j DNAT --to-destination 172.22.1.12:443
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.22.1.12:80
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 587 -j DNAT --to-destination 172.22.1.253:587
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 465 -j DNAT --to-destination 172.22.1.253:465
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 25 -j DNAT --to-destination 172.22.1.253:25
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 19991 -j DNAT --to-destination 172.22.1.250:12345
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 4190 -j DNAT --to-destination 172.22.1.250:4190
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 995 -j DNAT --to-destination 172.22.1.250:995
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 993 -j DNAT --to-destination 172.22.1.250:993
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 143 -j DNAT --to-destination 172.22.1.250:143
-A DOCKER ! -i br-mailcow -p tcp -m tcp --dport 110 -j DNAT --to-destination 172.22.1.250:110
-A DOCKER -d 127.0.0.1/32 ! -i br-mailcow -p tcp -m tcp --dport 18983 -j DNAT --to-destination 172.22.1.13:8983
COMMIT
# Completed on Thu Jun 13 10:20:07 2024
# Generated by iptables-save v1.8.10 on Thu Jun 13 10:20:07 2024
*mangle
:PREROUTING ACCEPT [2854541:1379283016]
:INPUT ACCEPT [602189:623797607]
:FORWARD ACCEPT [2252817:755513309]
:OUTPUT ACCEPT [348350:38823556]
:POSTROUTING ACCEPT [2600268:794081982]
COMMIT
# Completed on Thu Jun 13 10:20:07 2024
# Generated by iptables-save v1.8.10 on Thu Jun 13 10:20:07 2024
*raw
:PREROUTING ACCEPT [2854541:1379283016]
:OUTPUT ACCEPT [348350:38823556]
COMMIT
# Completed on Thu Jun 13 10:20:07 2024
# Generated by iptables-save v1.8.10 on Thu Jun 13 10:20:07 2024
*security
:INPUT ACCEPT [602189:623797607]
:FORWARD ACCEPT [2251918:755258426]
:OUTPUT ACCEPT [348350:38823556]
COMMIT
# Completed on Thu Jun 13 10:20:07 2024

                      OK I looked at the iptables.rules file and after running those commands with 3 different setting they were all in there duplicated.
                      I had the Russia IP’s in there under INPUT DOCKER-USER and MAILCOW.
                      I didn’t know I was appending the file.
                      I have cleaned it up and just left INPUT.
                      Of these 3 which is preferred or does it even matter?
                      What I was trying to do is stop the bad actors from even getting to my mailserver with using iptables.
                      I don’t need mail from allot of countries like Russia , China , etc.

                      just a quick note, it might make more sense to add those IPs via ipset, it will considerably reduce the number of iptables rules and improving the performances considering you’d be looking at thoisands of entries here.

                        Are you using this inside or outside of the mailcow container?

                          No one is typing