Issues with mailcow suddely beginning to block incoming connections to port 25.

ivarh

When mailcow bans an ip address it adds the banned ip address to a iptables chain named MAILCOW, this chains content persists across reboots even if i remove the mail containers with docker compose down and reboot the host. When the host is back up the MAILCOW chain still has its old content. When i then restart mailcow with docker compose up -d it adds the content again to the chain causing duplicate entries that looks like this:

Chain MAILCOW (11 references)
target prot opt source destination
DROP 0 – 81.30.107.0/24 0.0.0.0/0
DROP 6 – 0.0.0.0/0 0.0.0.0/0 /* mailcow isolation */
DROP 0 – 193.46.255.40 0.0.0.0/0
DROP 0 – 81.30.107.0/24 0.0.0.0/0
root@mailcow:~/mailcow-dockerized#

this is the block list as viewed in the web interface:
81.30.107.0/24

if i do a docker compose restart the chain grows again:
Chain MAILCOW (11 references)
target prot opt source destination
DROP 0 – 81.30.107.0/24 0.0.0.0/0
DROP 6 – 0.0.0.0/0 0.0.0.0/0 /* mailcow isolation */
DROP 0 – 81.30.107.0/24 0.0.0.0/0
DROP 0 – 193.46.255.40 0.0.0.0/0
DROP 0 – 81.30.107.0/24 0.0.0.0/0

if I now run a docker compose remove and reboot the chain retains it content across reboot. Some times it ends up ducplicating this line as well:
DROP 6 – 0.0.0.0/0 0.0.0.0/0 /* mailcow isolation */

when this happens i can no longer connect to port 25 over ipv4 and the only way to recover is to manually run
iptables -F MAILCOW and restart mailcow.

ivarh

It has happened again. Here is the output from iptables while incoming ipv4 (only) traffic to port 25 is being blocked:

root@mailcow:~# sudo iptables -L -v -n --line-numbers                                                                                                                                                                                     
Chain INPUT (policy ACCEPT 1571K packets, 112M bytes)                                                                                                                                                                                     
num   pkts bytes target     prot opt in     out     source               destination                                                                                                                                                      
1    1571K  112M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */                                                                                                                               
2        0     0 ACCEPT     17   --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:52821 /* wireguard-input-rule */                                                                                                    
3    1571K  112M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */                                                                                                                               
4    1571K  112M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */                                                                                                                               
5    1571K  112M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */                                                                                                                               
6    1571K  112M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */                                                                                                                               
                                                                                                                                                                                                                                          
Chain FORWARD (policy DROP 0 packets, 0 bytes)                                                                                                                                                                                            
num   pkts bytes target     prot opt in     out     source               destination                                                                                                                                                      
1    70821   34M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */                                                                                                                               
2    55145   33M DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                      
3    55145   33M DOCKER-FORWARD  0    --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                   
4        0     0 ACCEPT     0    --  eth0   wg0     0.0.0.0/0            10.123.67.0/24       ctstate RELATED,ESTABLISHED /* wireguard-forward-rule */                                                                                    
5        0     0 ACCEPT     0    --  wg0    eth0    10.123.67.0/24       0.0.0.0/0            /* wireguard-forward-rule */                                                                                                                
6        0     0 MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */                                                                                                                               
7        0     0 MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */                                                                                                                               
8        0     0 MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */                                                                                                                               
9        0     0 MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */                                                                                                                               
10       0     0 MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */                                                                                                                               
                                                                                                                                                                                                                                          
Chain OUTPUT (policy ACCEPT 195K packets, 6190M bytes)                                                                                                                                                                                    
num   pkts bytes target     prot opt in     out     source               destination                                                                                                                                                      
                                                                                                                                                                                                                                          
Chain DOCKER (2 references)                                                                                                                                                                                                               
num   pkts bytes target     prot opt in     out     source               destination                                                                                                                                                      
1        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587                                                                                                                        
2        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465                                                                                                                        
3        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25                                                                                                                         
4        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345                                                                                                                      
5        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190                                                                                                                       
6        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995                                                                                                                        
7        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993                                                                                                                        
8        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143                                                                                                                        
9        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110                                                                                                                        
10       0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.10          tcp dpt:443                                                                                                                        
11       0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.10          tcp dpt:80                                                                                                                         
12       0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379                                                                                                                       
13       0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.7           tcp dpt:3306                                                                                                                       
14     210 12600 ACCEPT     6    --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:9001                                                                                                                             
15       0     0 DROP       0    --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0                                                                                                                                               
16       0     0 DROP       0    --  !docker0 docker0  0.0.0.0/0            0.0.0.0/0                                                                                                                                                     
                                                                                                                                                                                                                                          
Chain DOCKER-BRIDGE (1 references)                                                                                                                                                                                                        
num   pkts bytes target     prot opt in     out     source               destination                                                                                                                                                      
1        0     0 DOCKER     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0                                                                                                                                                    
2      210 12600 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0                                                                                                                                                       
                                                                                                                                                                                                                                          
Chain DOCKER-CT (1 references)                                                                                                                                                                                                            
num   pkts bytes target     prot opt in     out     source               destination                                                                                                                                                      
1    12757 2063K ACCEPT     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED                                                                                                             
2    12418 2392K ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED                                                                                                                
                                                                                                                                                                                                                                          
Chain DOCKER-FORWARD (1 references)                                                                                                                                                                                                       
num   pkts bytes target     prot opt in     out     source               destination                                                                                                                                                      
1    55145   33M DOCKER-CT  0    --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                        
2    29970   29M DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                         
3    29970   29M DOCKER-BRIDGE  0    --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                    
4    18366 1365K ACCEPT     0    --  br-mailcow *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                    
5    11394   27M ACCEPT     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                       
                                                                                                                                                                                                                                          
Chain DOCKER-ISOLATION-STAGE-1 (1 references)                                                                                                                                                                                             
num   pkts bytes target     prot opt in     out     source               destination                                                                                                                                                      
1    18366 1365K DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0                                                                                                                                
2    11394   27M DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0                                                                                                                                      
                                                                                                                                                                                                                                          
Chain DOCKER-ISOLATION-STAGE-2 (2 references)                                                                                                                                                                                             
num   pkts bytes target     prot opt in     out     source               destination                                                                                                                                                      
1        0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0                                                                                                                                                       
2        0     0 DROP       0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0                                                                                                                                                    
                                                                                                                                                                                                                                          
Chain DOCKER-USER (1 references)                                                                                                                                                                                                          
num   pkts bytes target     prot opt in     out     source               destination                                                                                                                                                      
1    55145   33M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0                                                                                                                                                        
                                                                                                                                                                                                                                          
Chain MAILCOW (11 references)                                                                                                                                                                                                             
num   pkts bytes target     prot opt in     out     source               destination                                                                                                                                                      
1        0     0 DROP       0    --  *      *       81.30.107.0/24       0.0.0.0/0           
2        0     0 DROP       6    --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0            /* mailcow isolation */
3        0     0 DROP       0    --  *      *       193.46.255.40        0.0.0.0/0           
4        0     0 DROP       0    --  *      *       81.30.107.0/24       0.0.0.0/0           
5    15683  907K DROP       6    --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0            /* mailcow isolation */

Removing the duplicate blocking rule 5 from the chain MAILCOW removes the blockage:

root@mailcow:~# iptables -D MAILCOW 5
root@mailcow:~# sudo iptables -L -v -n --line-numbers
Chain INPUT (policy ACCEPT 1571K packets, 112M bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    1571K  112M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
2        0     0 ACCEPT     17   --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp dpt:52821 /* wireguard-input-rule */
3    1571K  112M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
4    1571K  112M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
5    1571K  112M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
6    1571K  112M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    70835   34M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
2    55155   33M DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
3    55155   33M DOCKER-FORWARD  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
4        0     0 ACCEPT     0    --  eth0   wg0     0.0.0.0/0            10.123.67.0/24       ctstate RELATED,ESTABLISHED /* wireguard-forward-rule */
5        0     0 ACCEPT     0    --  wg0    eth0    10.123.67.0/24       0.0.0.0/0            /* wireguard-forward-rule */
6        0     0 MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
7        0     0 MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
8        0     0 MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
9        0     0 MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
10       0     0 MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */

Chain OUTPUT (policy ACCEPT 195K packets, 6190M bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
2        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
3        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
4        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
5        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
6        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
7        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
8        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
9        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
10       0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.10          tcp dpt:443
11       0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.10          tcp dpt:80
12       0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
13       0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.7           tcp dpt:3306
14     210 12600 ACCEPT     6    --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:9001
15       0     0 DROP       0    --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0           
16       0     0 DROP       0    --  !docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-BRIDGE (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DOCKER     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
2      210 12600 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-CT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1    12757 2063K ACCEPT     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
2    12422 2392K ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1    55155   33M DOCKER-CT  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
2    29976   29M DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
3    29976   29M DOCKER-BRIDGE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
4    18368 1365K ACCEPT     0    --  br-mailcow *       0.0.0.0/0            0.0.0.0/0           
5    11398   27M ACCEPT     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1    18368 1365K DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0           
2    11398   27M DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
2        0     0 DROP       0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1    55155   33M RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain MAILCOW (11 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       0    --  *      *       81.30.107.0/24       0.0.0.0/0           
2        0     0 DROP       6    --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0            /* mailcow isolation */
3        0     0 DROP       0    --  *      *       193.46.255.40        0.0.0.0/0           
4        0     0 DROP       0    --  *      *       81.30.107.0/24       0.0.0.0/0

As you see the original universal block rule 2 have no matches during normal funtional operation of mailcow. Its the duplicate one that is suddenly matching any traffic and removing it restores incoming access.

ivarh

I think I have found the issue. I am running mailcow on a pi and it has iptables-persistent installed on it causing the iptables to be partially restored on boot. After uninstalling this package a lot of the duplicate entries have disappeared . Hopefully this will be resolved now and iptables now have no duplicated entries:

 root@mailcow:/etc# iptables -L -v -n --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1    17285 8848K MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
2    17292 8849K DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
3    17292 8849K DOCKER-FORWARD  0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
2       20  1168 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
3       91  4808 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
4        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.11          tcp dpt:3306
5        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
6        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
7        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
8       12   704 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
9        2   112 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
10       0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
11       3   188 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.9           tcp dpt:443
12      17   944 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.9           tcp dpt:80
13      12   720 ACCEPT     6    --  !docker0 docker0  0.0.0.0/0            172.17.0.2           tcp dpt:9001
14       0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
15       0     0 DROP       0    --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0           
16       0     0 DROP       0    --  !docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-BRIDGE (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1      145  7924 DOCKER     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
2       12   720 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-CT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     7896 5235K ACCEPT     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
2      672  135K ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1    17292 8849K DOCKER-CT  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
2     8724 3480K DOCKER-ISOLATION-STAGE-1  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
3     8724 3480K DOCKER-BRIDGE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
4     7949 1903K ACCEPT     0    --  br-mailcow *       0.0.0.0/0            0.0.0.0/0           
5      618 1569K ACCEPT     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     7949 1903K DOCKER-ISOLATION-STAGE-2  0    --  br-mailcow !br-mailcow  0.0.0.0/0            0.0.0.0/0            
2      618 1569K DOCKER-ISOLATION-STAGE-2  0    --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           
2        0     0 DROP       0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1    17292 8849K RETURN     0    --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain MAILCOW (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       0    --  *      *       81.30.107.0/24       0.0.0.0/0           
2        0     0 DROP       6    --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0            /* mailcow isolation */