DocFraggle
Thanks to DocFraggle for the suggestion! I’m providing an update on my issue with the unbound-mailcow container not reaching the internet on Oracle Cloud Infrastructure (OCI). I’m PixelX from the original post.
Recap of the Issue
The unbound-mailcow container (IP: 172.22.1.254) on my Ubuntu server in OCI cannot ping 1.1.1.1 (100% packet loss) or resolve DNS (e.g., google.com). The host itself can ping 1.1.1.1 and resolve DNS fine. I disabled the health check in docker-compose.yml to allow other containers to start.
What I’ve Done Based on Suggestions
UFW: I checked ufw as suggested, and it’s already inactive (sudo ufw status shows Status: inactive), so it’s not the issue.
Port 25 Note: DocFraggle mentioned that OCI’s free tier blocks port 25, but since my issue is with ICMP (ping) and DNS (UDP/53), I don’t think this applies yet. I’ll keep it in mind for email setup later.
Troubleshooting Updates
DOCKER-ISOLATION-STAGE-2: I checked this chain, which initially had a DROP rule for br-mailcow traffic. I added ACCEPT rules to allow traffic:
sudo iptables -I DOCKER-ISOLATION-STAGE-2 1 -o br-mailcow -j ACCEPT
sudo iptables -I DOCKER-ISOLATION-STAGE-2 2 -i br-mailcow -j ACCEPT
However, packet counters showed no traffic reaching this chain, likely because my DOCKER-FORWARD rules are bypassing it:
Chain DOCKER-FORWARD (1 references)
pkts bytes target prot opt in out source destination
13 840 ACCEPT all – br-mailcow * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all – * br-mailcow 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
tcpdump Results:
On br-mailcow, I see ICMP packets leaving the container:
08:20:25.081171 IP 172.22.1.254 > one.one.one.one: ICMP echo request, id 120, seq 0, length 64
On enp0s6 (external interface), no packets from 10.0.0.227 to 1.1.1.1 are captured, only unrelated ICMP traffic from external IPs to the host.
FORWARD Chain:
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
359 21984 DOCKER-USER all – * * 0.0.0.0/0 0.0.0.0/0
359 21984 DOCKER-FORWARD all – * * 0.0.0.0/0 0.0.0.0/0
I tested with FORWARD policy set to ACCEPT and DROP, but it made no difference.
DOCKER-USER Chain:
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
9472 699K RETURN all – * * 0.0.0.0/0 0.0.0.0/0
I flushed and re-added the RETURN rule, but no change.
mangle Table: The FORWARD chain in the mangle table is empty, so it’s not the issue.
Test with Alpine Container: I ran a simple container on the default docker0 bridge (docker run -it –rm alpine sh) and tried to ping 1.1.1.1. It also failed with 100% packet loss, suggesting this issue affects all containers, not just Mailcow.
POSTROUTING: Still no packets hitting the MASQUERADE rule:
Chain POSTROUTING (policy ACCEPT 18 packets, 1123 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all – * !br-mailcow 172.22.1.0/24 0.0.0.0/0
Current State
Packets are leaving the container and reaching br-mailcow, and they’re accepted in DOCKER-FORWARD, but they’re dropped before reaching POSTROUTING or the external interface (enp0s6). Since the host can ping 1.1.1.1, the issue seems specific to container traffic. I suspect either a kernel-level NAT issue or an OCI restriction on container traffic.
Questions
What could be dropping packets between FORWARD and POSTROUTING? Are there other iptables chains or kernel settings I should check?
Could this be an OCI-specific issue with container traffic, even though the host can ping 1.1.1.1? I’ve checked OCI security rules, and they allow outbound ICMP and UDP/53 to 0.0.0.0/0.
Any other debugging suggestions? I couldn’t check kernel logs (dmesg returned “Operation not permitted”).
Thanks for any help!