i have been trying to find out how to properly enable firewall for docker and encountered an interesting beheviour of unbound container:

  1. installing mailcow - health check passes. i am able to dig through @127.0.0.1 in the container
  2. enforcing iptables rules:
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp -m multiport --dport 22,443 -j ACCEPT
    iptables -P INPUT DROP
    iptables -I DOCKER-USER -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -I DOCKER-USER 2 -i eth0 -p tcp -m multiport --dport 25,110,143,465,587,993,995,4190 -j ACCEPT
    iptables -I DOCKER-USER 3 -i eth0 -j DROP
  3. unbound does not pass health check, unable to dig
  4. rolling back iptable rules:
    iptables -P INPUT ACCEPT
    iptables -F INPUT
    iptables -F DOCKER-USER
    iptables -A DOCKER-USER -j RETURN
  5. unbound does not pass health check, unable to dig

can someone explain why this happens?

    Have something to say?

    Join the community by quickly registering to participate in this discussion. We'd like to see you joining our great moo-community!

    esackbauer blocking http and https ports since i am going to use reverse proxy

      If you have a reverse proxy, usually your mailcow is then running on a private IP anyways, or you have changed the bindings to 127.0.0.1 as per reverse proxy docs (if its running on the same host).
      Why the need to block it?
      Without properly describing your setup with reverse proxy it will be difficult to understand.

        esackbauer practically - no. but i want to know why dns resolver stops working even after restoring original iptables configuration, because it also affects other iptables setups

          No one is typing