Mailcow unbound Container Cannot Reach the Internet on OCI

PixelX

Hi everyone,

I’m running Mailcow on Ubuntu in Oracle Cloud Infrastructure (OCI), and the unbound-mailcow container cannot reach the internet. It fails to ping 1.1.1.1 (100% packet loss) and cannot resolve DNS (e.g., google.com), causing it to be marked as unhealthy.

Details:

Host: Ubuntu on OCI, host can ping 1.1.1.1 and resolve DNS (dig +short google.com works).
Mailcow Network: br-mailcow bridge (172.22.1.0/24).
Issue: unbound-mailcow (IP: 172.22.1.254) cannot ping 1.1.1.1 or resolve DNS.
Logs: 2025-04-18 23:49:53: Healthcheck: Failed to ping 1.1.1.1 on attempt 1… 2025-04-18 23:51:48: Healthcheck: DNS Resolution not possible for hub.docker.com…
What I’ve Tried:
Disabled unbound health check in docker-compose.yml.
Added iptables rules to DOCKER-FORWARD: sudo iptables -I DOCKER-FORWARD 1 -i br-mailcow -j ACCEPT sudo iptables -I DOCKER-FORWARD 2 -o br-mailcow -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
IP forwarding is enabled (net.ipv4.ip_forward = 1).
POSTROUTING shows no packets hitting the MASQUERADE rule: Chain POSTROUTING (policy ACCEPT 45 packets, 2989 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all – * !br-mailcow 172.22.1.0/24 0.0.0.0/0
Questions:

Why isn’t traffic from unbound hitting the MASQUERADE rule in POSTROUTING?
Could DOCKER-ISOLATION-STAGE-2 be dropping traffic? How can I check?
Any tips to debug this further?
Thanks for any help!

DocFraggle

Do you have ufw enabled on your Ubuntu server? I suggest you disable it completely (as mentioned in the docs)

IIRC three are some known problems with running mailcow in OC. If you’re using the free tier, port 25 to external is blocked and you will need a relay service, something like that

PixelX

DocFraggle

Thanks to DocFraggle for the suggestion! I’m providing an update on my issue with the unbound-mailcow container not reaching the internet on Oracle Cloud Infrastructure (OCI). I’m PixelX from the original post.

Recap of the Issue

The unbound-mailcow container (IP: 172.22.1.254) on my Ubuntu server in OCI cannot ping 1.1.1.1 (100% packet loss) or resolve DNS (e.g., google.com). The host itself can ping 1.1.1.1 and resolve DNS fine. I disabled the health check in docker-compose.yml to allow other containers to start.

What I’ve Done Based on Suggestions

UFW: I checked ufw as suggested, and it’s already inactive (sudo ufw status shows Status: inactive), so it’s not the issue.
Port 25 Note: DocFraggle mentioned that OCI’s free tier blocks port 25, but since my issue is with ICMP (ping) and DNS (UDP/53), I don’t think this applies yet. I’ll keep it in mind for email setup later.

Troubleshooting Updates
DOCKER-ISOLATION-STAGE-2: I checked this chain, which initially had a DROP rule for br-mailcow traffic. I added ACCEPT rules to allow traffic:

sudo iptables -I DOCKER-ISOLATION-STAGE-2 1 -o br-mailcow -j ACCEPT
sudo iptables -I DOCKER-ISOLATION-STAGE-2 2 -i br-mailcow -j ACCEPT

However, packet counters showed no traffic reaching this chain, likely because my DOCKER-FORWARD rules are bypassing it:

Chain DOCKER-FORWARD (1 references)
pkts bytes target prot opt in out source destination
13 840 ACCEPT all – br-mailcow * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – * br-mailcow 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
tcpdump Results:
On br-mailcow, I see ICMP packets leaving the container:

08:20:25.081171 IP 172.22.1.254 > one.one.one.one: ICMP echo request, id 120, seq 0, length 64
On enp0s6 (external interface), no packets from 10.0.0.227 to 1.1.1.1 are captured, only unrelated ICMP traffic from external IPs to the host.
FORWARD Chain:

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
359 21984 DOCKER-USER all – * * 0.0.0.0/0 0.0.0.0/0
359 21984 DOCKER-FORWARD all – * * 0.0.0.0/0 0.0.0.0/0
I tested with FORWARD policy set to ACCEPT and DROP, but it made no difference.
DOCKER-USER Chain:

Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
9472 699K RETURN all – * * 0.0.0.0/0 0.0.0.0/0
I flushed and re-added the RETURN rule, but no change.
mangle Table: The FORWARD chain in the mangle table is empty, so it’s not the issue.
Test with Alpine Container: I ran a simple container on the default docker0 bridge (docker run -it –rm alpine sh) and tried to ping 1.1.1.1. It also failed with 100% packet loss, suggesting this issue affects all containers, not just Mailcow.
POSTROUTING: Still no packets hitting the MASQUERADE rule:

Chain POSTROUTING (policy ACCEPT 18 packets, 1123 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all – * !br-mailcow 172.22.1.0/24 0.0.0.0/0
Current State

Packets are leaving the container and reaching br-mailcow, and they’re accepted in DOCKER-FORWARD, but they’re dropped before reaching POSTROUTING or the external interface (enp0s6). Since the host can ping 1.1.1.1, the issue seems specific to container traffic. I suspect either a kernel-level NAT issue or an OCI restriction on container traffic.

Questions

What could be dropping packets between FORWARD and POSTROUTING? Are there other iptables chains or kernel settings I should check?
Could this be an OCI-specific issue with container traffic, even though the host can ping 1.1.1.1? I’ve checked OCI security rules, and they allow outbound ICMP and UDP/53 to 0.0.0.0/0.
Any other debugging suggestions? I couldn’t check kernel logs (dmesg returned “Operation not permitted”).
Thanks for any help!