iptables multiport dports 3306,6379,8983,12345

Cchriss · 2025-03-30T10:45:08+00:00

Hey all

Updating to 2025-03a on Ubuntu 20.04.6 I hit this problem: 2025-3 netfilter crashes

#6405 2025-3 netfilter crashes

### Contribution guidelines - [x] I've read the [contribution guidelines](https://github.com/mailcow/mailcow-dockerized/blob/master/CONTRIBUTING.md) and wholeheartedly agree ### I've found a bug and checked that ... - [x] ... I understand that not following the below instructions will result in

Contribution guidelines I've read the contribution guidelines and wholeheartedly agree I've found a bug and checked that ... ... I understand that not following the below instructions will result i...

8 26 Mar

What is this iptables chain protecting us against?

Chain MAILCOW (2 references)
target     prot opt source               destination
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            multiport dports 3306,6379,8983,12345

I can’t seem to find anything in my mailcow that is listening on these ports

3306 would be the mariadb server in the mysql-mailcow container, but that port number is not bound to anything that is accessible. The mariadb instance is bound to port 13306 on localhost.

The other ports don’t seem to have any relevance.

Thanks

EETNyx · 2025-03-30T11:40:21+00:00

3306 - MariaDB

GitHub

mailcow-dockerized/docker-compose.yml at 2c47145dee31ad56b449a77180a2346eb06904c3 · mailcow/mailcow-dockerized

mailcow: dockerized - 🐮 + 🐋 = 💕. Contribute to mailcow/mailcow-dockerized development by creating an account on GitHub.

6379 - Redis

GitHub

mailcow-dockerized/docker-compose.yml at 2c47145dee31ad56b449a77180a2346eb06904c3 · mailcow/mailcow-dockerized

mailcow: dockerized - 🐮 + 🐋 = 💕. Contribute to mailcow/mailcow-dockerized development by creating an account on GitHub.

8983 - Solr (previous full-text search, now removed since ?2025-01?)

12345 - Dovecot

GitHub

mailcow-dockerized/docker-compose.yml at 2c47145dee31ad56b449a77180a2346eb06904c3 · mailcow/mailcow-dockerized

mailcow: dockerized - 🐮 + 🐋 = 💕. Contribute to mailcow/mailcow-dockerized development by creating an account on GitHub.

About purpose you will need to see full iptables i would guess somewhere before this iptables accept those ports from specific source aka from within mailcow and rest are dropping (0.0.0.0/0) from envywhere else.

Cchriss · 2025-03-30T12:09:36+00:00

ETNyx

GitHub Icon 3306 - MariaDB
GitHub Icon 6379 - Redis
8983 - Solr (previous full-text search, now removed since ?2025-01?)
GitHub Icon 12345 - Dovecot

Thanks, I should have looked more deeply into my docker-compose.yml file. I was just focused on the open ports.

About purpose you will need to see full iptables i would guess somewhere before this iptables accept those ports from specific source aka from within mailcow and rest are dropping (0.0.0.0/0) from envywhere else.

Correct, the DOCKER chain enables some of them for the relevant container destination (no solr, assume deprecated) and drops everything else:

Chain DOCKER (2 references)
target     prot opt source               destination
[snip]
ACCEPT     tcp  --  0.0.0.0/0            172.22.1.250         tcp dpt:12345
ACCEPT     tcp  --  0.0.0.0/0            172.22.1.5           tcp dpt:3306
ACCEPT     tcp  --  0.0.0.0/0            172.22.1.249         tcp dpt:6379
[snip]
DROP       all  --  0.0.0.0/0            0.0.0.0/0
DROP       all  --  0.0.0.0/0            0.0.0.0/0

And then the DROP rule previously mentioned discards access from any other source to any other destination on those ports.

Thanks for the pointer. ️