• esackbauer

    • Community Hero
    Moolevel 347
  • Edited

What OS is your root server running on? Was it updated lately?
Looks like its not forwarding ICMP packets.
Have you tried updating docker versions manually?

  • cnc24

      Moolevel 1
    • Edited

    I’m running Debian 11 Bullseye. down here the uname -a and dpkg -l Outputs:

    root@mail:~# uname -a
    Linux mail.senditout.de 5.10.0-33-amd64 #1 SMP Debian 5.10.226-1 (2024-10-03) x86_64 GNU/Linux
    root@mail:~# dpkg -l | grep linux-
    ii binutils-x86-64-linux-gnu 2.35.2-2 amd64 GNU binary utilities, for x86-64-linux-gnu target
    ii firmware-linux-free 20200122-1 all Binary firmware for various drivers in the Linux kernel
    ii linux-base 4.6 all Linux image base package
    rc linux-image-5.10.0-10-amd64 5.10.84-1 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-11-amd64 5.10.92-2 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-12-amd64 5.10.103-1 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-13-amd64 5.10.106-1 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-14-amd64 5.10.113-1 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-15-amd64 5.10.120-1 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-16-amd64 5.10.127-2 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-17-amd64 5.10.136-1 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-18-amd64 5.10.140-1 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-19-amd64 5.10.149-2 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-20-amd64 5.10.158-2 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-21-amd64 5.10.162-1 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-22-amd64 5.10.178-3 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-23-amd64 5.10.179-3 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-24-amd64 5.10.179-5 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-25-amd64 5.10.191-1 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-26-amd64 5.10.197-1 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-27-amd64 5.10.205-2 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-28-amd64 5.10.209-2 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-29-amd64 5.10.216-1 amd64 Linux 5.10 for 64-bit PCs (signed)
    ii linux-image-5.10.0-32-amd64 5.10.223-1 amd64 Linux 5.10 for 64-bit PCs (signed)
    ii linux-image-5.10.0-33-amd64 5.10.226-1 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-8-amd64 5.10.46-5 amd64 Linux 5.10 for 64-bit PCs (signed)
    rc linux-image-5.10.0-9-amd64 5.10.70-1 amd64 Linux 5.10 for 64-bit PCs (signed)
    ii linux-image-amd64 5.10.226-1 amd64 Linux for 64-bit PCs (meta-package)
    ii util-linux-locales 2.36.1-8+deb11u2 all locales files for util-linux

    Last Update was at October i think.

    • cnc24

        Moolevel 1

      The docker versions are:

      docker compose version
      Docker Compose version v2.32.1

      docker --version
      Docker version 27.4.1, build b9d17ea

      • esackbauer

        • Community Hero
        Moolevel 347
      • Edited

      Are you using firewalld, UFW, or SELinux? if yes, disable them.

      • cnc24

          Moolevel 1

        I use ufw but i get the same issue without ufw enabled

        • DocFraggle

          • Community Hero
          Moolevel 245

        With ufw disabled and after restarting the stack, please post the output of

        iptables -L
        iptables -t nat -L
        • cnc24

            Moolevel 1

          Here the output:
          `root@mail:/opt/mailcow-dockerized# iptables -L
          Chain INPUT (policy ACCEPT)
          target prot opt source destination
          MAILCOW all – anywhere anywhere /* mailcow */
          ufw-before-logging-input all – anywhere anywhere
          ufw-before-input all – anywhere anywhere
          ufw-after-input all – anywhere anywhere
          ufw-after-logging-input all – anywhere anywhere
          ufw-reject-input all – anywhere anywhere
          ufw-track-input all – anywhere anywhere

          Chain FORWARD (policy ACCEPT)
          target prot opt source destination
          MAILCOW all – anywhere anywhere /* mailcow */
          DOCKER-USER all – anywhere anywhere
          DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
          ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
          DOCKER all – anywhere anywhere
          ACCEPT all – anywhere anywhere
          ACCEPT all – anywhere anywhere
          ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
          DOCKER all – anywhere anywhere
          ACCEPT all – anywhere anywhere
          ACCEPT all – anywhere anywhere
          ufw-before-logging-forward all – anywhere anywhere
          ufw-before-forward all – anywhere anywhere
          ufw-after-forward all – anywhere anywhere
          ufw-after-logging-forward all – anywhere anywhere
          ufw-reject-forward all – anywhere anywhere
          ufw-track-forward all – anywhere anywhere

          Chain OUTPUT (policy ACCEPT)
          target prot opt source destination
          ufw-before-logging-output all – anywhere anywhere
          ufw-before-output all – anywhere anywhere
          ufw-after-output all – anywhere anywhere
          ufw-after-logging-output all – anywhere anywhere
          ufw-reject-output all – anywhere anywhere
          ufw-track-output all – anywhere anywhere

          Chain DOCKER (2 references)
          target prot opt source destination
          ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
          ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
          ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
          ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
          ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
          ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
          ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
          ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
          ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345

          Chain DOCKER-ISOLATION-STAGE-1 (1 references)
          target prot opt source destination
          DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
          DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
          RETURN all – anywhere anywhere

          Chain DOCKER-ISOLATION-STAGE-2 (2 references)
          target prot opt source destination
          DROP all – anywhere anywhere
          DROP all – anywhere anywhere
          RETURN all – anywhere anywhere

          Chain DOCKER-USER (1 references)
          target prot opt source destination
          RETURN all – anywhere anywhere

          Chain MAILCOW (2 references)
          target prot opt source destination
          DROP all – 212.70.149.71 anywhere
          DROP tcp – anywhere anywhere /* mailcow isolation */

          Chain ufw-after-forward (1 references)
          target prot opt source destination

          Chain ufw-after-input (1 references)
          target prot opt source destination

          Chain ufw-after-logging-forward (1 references)
          target prot opt source destination

          Chain ufw-after-logging-input (1 references)
          target prot opt source destination

          Chain ufw-after-logging-output (1 references)
          target prot opt source destination

          Chain ufw-after-output (1 references)
          target prot opt source destination

          Chain ufw-before-forward (1 references)
          target prot opt source destination

          Chain ufw-before-input (1 references)
          target prot opt source destination

          Chain ufw-before-logging-forward (1 references)
          target prot opt source destination

          Chain ufw-before-logging-input (1 references)
          target prot opt source destination

          Chain ufw-before-logging-output (1 references)
          target prot opt source destination

          Chain ufw-before-output (1 references)
          target prot opt source destination

          Chain ufw-reject-forward (1 references)
          target prot opt source destination

          Chain ufw-reject-input (1 references)
          target prot opt source destination

          Chain ufw-reject-output (1 references)
          target prot opt source destination

          Chain ufw-track-forward (1 references)
          target prot opt source destination

          Chain ufw-track-input (1 references)
          target prot opt source destination

          Chain ufw-track-output (1 references)
          target prot opt source destination `

          and the output of the other comand

          `root@mail:/opt/mailcow-dockerized# iptables -t nat -L
          Chain PREROUTING (policy ACCEPT)
          target prot opt source destination
          DOCKER all – anywhere anywhere ADDRTYPE match dst-type LOCAL

          Chain INPUT (policy ACCEPT)
          target prot opt source destination

          Chain OUTPUT (policy ACCEPT)
          target prot opt source destination
          DOCKER all – anywhere !localhost/8 ADDRTYPE match dst-type LOCAL

          Chain POSTROUTING (policy ACCEPT)
          target prot opt source destination
          MASQUERADE all – 172.17.0.0/16 anywhere
          MASQUERADE tcp – 172.22.1.5 172.22.1.5 tcp dpt:8983
          MASQUERADE tcp – 172.22.1.249 172.22.1.249 tcp dpt:redis
          MASQUERADE tcp – 172.22.1.6 172.22.1.6 tcp dpt:mysql
          MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3
          MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imap2
          MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imaps
          MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3s
          MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:sieve
          MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:12345

          Chain DOCKER (2 references)
          target prot opt source destination
          RETURN all – anywhere anywhere
          RETURN all – anywhere anywhere
          DNAT tcp – anywhere localhost tcp dpt:18983 to:172.22.1.5:8983
          DNAT tcp – anywhere localhost tcp dpt:7654 to:172.22.1.249:6379
          DNAT tcp – anywhere localhost tcp dpt:13306 to:172.22.1.6:3306
          DNAT tcp – anywhere anywhere tcp dpt:pop3 to:172.22.1.250:110
          DNAT tcp – anywhere anywhere tcp dpt:imap2 to:172.22.1.250:143
          DNAT tcp – anywhere anywhere tcp dpt:imaps to:172.22.1.250:993
          DNAT tcp – anywhere anywhere tcp dpt:pop3s to:172.22.1.250:995
          DNAT tcp – anywhere anywhere tcp dpt:sieve to:172.22.1.250:4190
          DNAT tcp – anywhere localhost tcp dpt:19991 to:172.22.1.250:12345`

          • DocFraggle

            • Community Hero
            Moolevel 245

          ufw is still enabled…

          • cnc24

              Moolevel 1
            • Edited

            strange here again the output with ufw status command before
            root@mail:~# ufw status
            Status: inactive
            root@mail:~# C
            root@mail:~# iptables -L
            Chain INPUT (policy ACCEPT)
            target prot opt source destination
            MAILCOW all – anywhere anywhere /* mailcow */
            ufw-before-logging-input all – anywhere anywhere
            ufw-before-input all – anywhere anywhere
            ufw-after-input all – anywhere anywhere
            ufw-after-logging-input all – anywhere anywhere
            ufw-reject-input all – anywhere anywhere
            ufw-track-input all – anywhere anywhere

            Chain FORWARD (policy ACCEPT)
            target prot opt source destination
            MAILCOW all – anywhere anywhere /* mailcow */
            DOCKER-USER all – anywhere anywhere
            DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
            ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
            DOCKER all – anywhere anywhere
            ACCEPT all – anywhere anywhere
            ACCEPT all – anywhere anywhere
            ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
            DOCKER all – anywhere anywhere
            ACCEPT all – anywhere anywhere
            ACCEPT all – anywhere anywhere
            ufw-before-logging-forward all – anywhere anywhere
            ufw-before-forward all – anywhere anywhere
            ufw-after-forward all – anywhere anywhere
            ufw-after-logging-forward all – anywhere anywhere
            ufw-reject-forward all – anywhere anywhere
            ufw-track-forward all – anywhere anywhere

            Chain OUTPUT (policy ACCEPT)
            target prot opt source destination
            ufw-before-logging-output all – anywhere anywhere
            ufw-before-output all – anywhere anywhere
            ufw-after-output all – anywhere anywhere
            ufw-after-logging-output all – anywhere anywhere
            ufw-reject-output all – anywhere anywhere
            ufw-track-output all – anywhere anywhere

            Chain DOCKER (2 references)
            target prot opt source destination
            ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
            ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
            ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
            ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
            ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
            ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
            ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
            ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
            ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345

            Chain DOCKER-ISOLATION-STAGE-1 (1 references)
            target prot opt source destination
            DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
            DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
            RETURN all – anywhere anywhere

            Chain DOCKER-ISOLATION-STAGE-2 (2 references)
            target prot opt source destination
            DROP all – anywhere anywhere
            DROP all – anywhere anywhere
            RETURN all – anywhere anywhere

            Chain DOCKER-USER (1 references)
            target prot opt source destination
            RETURN all – anywhere anywhere

            Chain MAILCOW (2 references)
            target prot opt source destination
            DROP all – 212.70.149.71 anywhere
            DROP tcp – anywhere anywhere /* mailcow isolation */

            Chain ufw-after-forward (1 references)
            target prot opt source destination

            Chain ufw-after-input (1 references)
            target prot opt source destination

            Chain ufw-after-logging-forward (1 references)
            target prot opt source destination

            Chain ufw-after-logging-input (1 references)
            target prot opt source destination

            Chain ufw-after-logging-output (1 references)
            target prot opt source destination

            Chain ufw-after-output (1 references)
            target prot opt source destination

            Chain ufw-before-forward (1 references)
            target prot opt source destination

            Chain ufw-before-input (1 references)
            target prot opt source destination

            Chain ufw-before-logging-forward (1 references)
            target prot opt source destination

            Chain ufw-before-logging-input (1 references)
            target prot opt source destination

            Chain ufw-before-logging-output (1 references)
            target prot opt source destination

            Chain ufw-before-output (1 references)
            target prot opt source destination

            Chain ufw-reject-forward (1 references)
            target prot opt source destination

            Chain ufw-reject-input (1 references)
            target prot opt source destination

            Chain ufw-reject-output (1 references)
            target prot opt source destination

            Chain ufw-track-forward (1 references)
            target prot opt source destination

            Chain ufw-track-input (1 references)
            target prot opt source destination

            Chain ufw-track-output (1 references)
            target prot opt source destination
            root@mail:~# iptables -t nat -L
            Chain PREROUTING (policy ACCEPT)
            target prot opt source destination
            DOCKER all – anywhere anywhere ADDRTYPE match dst-type LOCAL

            Chain INPUT (policy ACCEPT)
            target prot opt source destination

            Chain OUTPUT (policy ACCEPT)
            target prot opt source destination
            DOCKER all – anywhere !localhost/8 ADDRTYPE match dst-type LOCAL

            Chain POSTROUTING (policy ACCEPT)
            target prot opt source destination
            MASQUERADE all – 172.17.0.0/16 anywhere
            MASQUERADE tcp – 172.22.1.5 172.22.1.5 tcp dpt:8983
            MASQUERADE tcp – 172.22.1.249 172.22.1.249 tcp dpt:redis
            MASQUERADE tcp – 172.22.1.6 172.22.1.6 tcp dpt:mysql
            MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3
            MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imap2
            MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imaps
            MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3s
            MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:sieve
            MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:12345

            Chain DOCKER (2 references)
            target prot opt source destination
            RETURN all – anywhere anywhere
            RETURN all – anywhere anywhere
            DNAT tcp – anywhere localhost tcp dpt:18983 to:172.22.1.5:8983
            DNAT tcp – anywhere localhost tcp dpt:7654 to:172.22.1.249:6379
            DNAT tcp – anywhere localhost tcp dpt:13306 to:172.22.1.6:3306
            DNAT tcp – anywhere anywhere tcp dpt:pop3 to:172.22.1.250:110
            DNAT tcp – anywhere anywhere tcp dpt:imap2 to:172.22.1.250:143
            DNAT tcp – anywhere anywhere tcp dpt:imaps to:172.22.1.250:993
            DNAT tcp – anywhere anywhere tcp dpt:pop3s to:172.22.1.250:995
            DNAT tcp – anywhere anywhere tcp dpt:sieve to:172.22.1.250:4190
            DNAT tcp – anywhere localhost tcp dpt:19991 to:172.22.1.250:12345
            root@mail:~#

            I don’t know what happend excatly, but suddenly after 9 minitues the unbound container startet to get healthy 😃

            Now i’m getting again emails! 🙂

            I try to activate now ufw again, or what do you prefer?

            • DocFraggle

              • Community Hero
              Moolevel 245

            You should disable it completely, see the docs.

            systemctl disable ufw

            And reboot afterwards

            • cnc24

                Moolevel 1

              but then would my server be open in the internet, because there is no other security feature?

              No one is typing