- Edited
What OS is your root server running on? Was it updated lately?
Looks like its not forwarding ICMP packets.
Have you tried updating docker versions manually?
English
What OS is your root server running on? Was it updated lately?
Looks like its not forwarding ICMP packets.
Have you tried updating docker versions manually?
I’m running Debian 11 Bullseye. down here the uname -a and dpkg -l Outputs:
root@mail:~# uname -a
Linux mail.senditout.de 5.10.0-33-amd64 #1 SMP Debian 5.10.226-1 (2024-10-03) x86_64 GNU/Linux
root@mail:~# dpkg -l | grep linux-
ii binutils-x86-64-linux-gnu 2.35.2-2 amd64 GNU binary utilities, for x86-64-linux-gnu target
ii firmware-linux-free 20200122-1 all Binary firmware for various drivers in the Linux kernel
ii linux-base 4.6 all Linux image base package
rc linux-image-5.10.0-10-amd64 5.10.84-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-11-amd64 5.10.92-2 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-12-amd64 5.10.103-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-13-amd64 5.10.106-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-14-amd64 5.10.113-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-15-amd64 5.10.120-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-16-amd64 5.10.127-2 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-17-amd64 5.10.136-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-18-amd64 5.10.140-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-19-amd64 5.10.149-2 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-20-amd64 5.10.158-2 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-21-amd64 5.10.162-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-22-amd64 5.10.178-3 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-23-amd64 5.10.179-3 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-24-amd64 5.10.179-5 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-25-amd64 5.10.191-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-26-amd64 5.10.197-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-27-amd64 5.10.205-2 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-28-amd64 5.10.209-2 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-29-amd64 5.10.216-1 amd64 Linux 5.10 for 64-bit PCs (signed)
ii linux-image-5.10.0-32-amd64 5.10.223-1 amd64 Linux 5.10 for 64-bit PCs (signed)
ii linux-image-5.10.0-33-amd64 5.10.226-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-8-amd64 5.10.46-5 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-9-amd64 5.10.70-1 amd64 Linux 5.10 for 64-bit PCs (signed)
ii linux-image-amd64 5.10.226-1 amd64 Linux for 64-bit PCs (meta-package)
ii util-linux-locales 2.36.1-8+deb11u2 all locales files for util-linux
Last Update was at October i think.
The docker versions are:
docker compose version
Docker Compose version v2.32.1
docker --version
Docker version 27.4.1, build b9d17ea
Are you using firewalld, UFW, or SELinux? if yes, disable them.
I use ufw but i get the same issue without ufw enabled
With ufw disabled and after restarting the stack, please post the output of
iptables -L
iptables -t nat -L
Here the output:
`root@mail:/opt/mailcow-dockerized# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
ufw-before-logging-input all – anywhere anywhere
ufw-before-input all – anywhere anywhere
ufw-after-input all – anywhere anywhere
ufw-after-logging-input all – anywhere anywhere
ufw-reject-input all – anywhere anywhere
ufw-track-input all – anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ufw-before-logging-forward all – anywhere anywhere
ufw-before-forward all – anywhere anywhere
ufw-after-forward all – anywhere anywhere
ufw-after-logging-forward all – anywhere anywhere
ufw-reject-forward all – anywhere anywhere
ufw-track-forward all – anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all – anywhere anywhere
ufw-before-output all – anywhere anywhere
ufw-after-output all – anywhere anywhere
ufw-after-logging-output all – anywhere anywhere
ufw-reject-output all – anywhere anywhere
ufw-track-output all – anywhere anywhere
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
RETURN all – anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all – anywhere anywhere
DROP all – anywhere anywhere
RETURN all – anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all – anywhere anywhere
Chain MAILCOW (2 references)
target prot opt source destination
DROP all – 212.70.149.71 anywhere
DROP tcp – anywhere anywhere /* mailcow isolation */
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
Chain ufw-after-logging-input (1 references)
target prot opt source destination
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
Chain ufw-before-input (1 references)
target prot opt source destination
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-track-forward (1 references)
target prot opt source destination
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination `
and the output of the other comand
`root@mail:/opt/mailcow-dockerized# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere !localhost/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all – 172.17.0.0/16 anywhere
MASQUERADE tcp – 172.22.1.5 172.22.1.5 tcp dpt:8983
MASQUERADE tcp – 172.22.1.249 172.22.1.249 tcp dpt:redis
MASQUERADE tcp – 172.22.1.6 172.22.1.6 tcp dpt:mysql
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imap2
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imaps
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3s
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:sieve
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:12345
Chain DOCKER (2 references)
target prot opt source destination
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
DNAT tcp – anywhere localhost tcp dpt:18983 to:172.22.1.5:8983
DNAT tcp – anywhere localhost tcp dpt:7654 to:172.22.1.249:6379
DNAT tcp – anywhere localhost tcp dpt:13306 to:172.22.1.6:3306
DNAT tcp – anywhere anywhere tcp dpt:pop3 to:172.22.1.250:110
DNAT tcp – anywhere anywhere tcp dpt:imap2 to:172.22.1.250:143
DNAT tcp – anywhere anywhere tcp dpt:imaps to:172.22.1.250:993
DNAT tcp – anywhere anywhere tcp dpt:pop3s to:172.22.1.250:995
DNAT tcp – anywhere anywhere tcp dpt:sieve to:172.22.1.250:4190
DNAT tcp – anywhere localhost tcp dpt:19991 to:172.22.1.250:12345`
ufw is still enabled…
strange here again the output with ufw status command before
root@mail:~# ufw status
Status: inactive
root@mail:~# C
root@mail:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
ufw-before-logging-input all – anywhere anywhere
ufw-before-input all – anywhere anywhere
ufw-after-input all – anywhere anywhere
ufw-after-logging-input all – anywhere anywhere
ufw-reject-input all – anywhere anywhere
ufw-track-input all – anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ufw-before-logging-forward all – anywhere anywhere
ufw-before-forward all – anywhere anywhere
ufw-after-forward all – anywhere anywhere
ufw-after-logging-forward all – anywhere anywhere
ufw-reject-forward all – anywhere anywhere
ufw-track-forward all – anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all – anywhere anywhere
ufw-before-output all – anywhere anywhere
ufw-after-output all – anywhere anywhere
ufw-after-logging-output all – anywhere anywhere
ufw-reject-output all – anywhere anywhere
ufw-track-output all – anywhere anywhere
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
RETURN all – anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all – anywhere anywhere
DROP all – anywhere anywhere
RETURN all – anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all – anywhere anywhere
Chain MAILCOW (2 references)
target prot opt source destination
DROP all – 212.70.149.71 anywhere
DROP tcp – anywhere anywhere /* mailcow isolation */
Chain ufw-after-forward (1 references)
target prot opt source destination
Chain ufw-after-input (1 references)
target prot opt source destination
Chain ufw-after-logging-forward (1 references)
target prot opt source destination
Chain ufw-after-logging-input (1 references)
target prot opt source destination
Chain ufw-after-logging-output (1 references)
target prot opt source destination
Chain ufw-after-output (1 references)
target prot opt source destination
Chain ufw-before-forward (1 references)
target prot opt source destination
Chain ufw-before-input (1 references)
target prot opt source destination
Chain ufw-before-logging-forward (1 references)
target prot opt source destination
Chain ufw-before-logging-input (1 references)
target prot opt source destination
Chain ufw-before-logging-output (1 references)
target prot opt source destination
Chain ufw-before-output (1 references)
target prot opt source destination
Chain ufw-reject-forward (1 references)
target prot opt source destination
Chain ufw-reject-input (1 references)
target prot opt source destination
Chain ufw-reject-output (1 references)
target prot opt source destination
Chain ufw-track-forward (1 references)
target prot opt source destination
Chain ufw-track-input (1 references)
target prot opt source destination
Chain ufw-track-output (1 references)
target prot opt source destination
root@mail:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere !localhost/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all – 172.17.0.0/16 anywhere
MASQUERADE tcp – 172.22.1.5 172.22.1.5 tcp dpt:8983
MASQUERADE tcp – 172.22.1.249 172.22.1.249 tcp dpt:redis
MASQUERADE tcp – 172.22.1.6 172.22.1.6 tcp dpt:mysql
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imap2
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imaps
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3s
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:sieve
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:12345
Chain DOCKER (2 references)
target prot opt source destination
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
DNAT tcp – anywhere localhost tcp dpt:18983 to:172.22.1.5:8983
DNAT tcp – anywhere localhost tcp dpt:7654 to:172.22.1.249:6379
DNAT tcp – anywhere localhost tcp dpt:13306 to:172.22.1.6:3306
DNAT tcp – anywhere anywhere tcp dpt:pop3 to:172.22.1.250:110
DNAT tcp – anywhere anywhere tcp dpt:imap2 to:172.22.1.250:143
DNAT tcp – anywhere anywhere tcp dpt:imaps to:172.22.1.250:993
DNAT tcp – anywhere anywhere tcp dpt:pop3s to:172.22.1.250:995
DNAT tcp – anywhere anywhere tcp dpt:sieve to:172.22.1.250:4190
DNAT tcp – anywhere localhost tcp dpt:19991 to:172.22.1.250:12345
root@mail:~#
I don’t know what happend excatly, but suddenly after 9 minitues the unbound container startet to get healthy
Now i’m getting again emails!
I try to activate now ufw again, or what do you prefer?
You should disable it completely, see the docs.
systemctl disable ufw
And reboot afterwards
but then would my server be open in the internet, because there is no other security feature?