My daemon.json looks pretty much the same:
{"ipv6":true,"fixed-cidr-v6":"fd00:dead:beef:c0::/80","experimental":true,"ip6tables":true}
But I’m running docker 26:
Client: Docker Engine - Community
Version: 26.1.4
API version: 1.45
Go version: go1.21.11
Git commit: 5650f9b
Built: Wed Jun 5 11:29:15 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 26.1.4
API version: 1.45 (minimum version 1.24)
Go version: go1.21.11
Git commit: de5c9cf
Built: Wed Jun 5 11:29:15 2024
OS/Arch: linux/amd64
Experimental: true
containerd:
Version: 1.6.33
GitCommit: d2d58213f83a351ca8f528a95fbd145f5654e957
runc:
Version: 1.1.12
GitCommit: v1.1.12-0-g51d5e94
docker-init:
Version: 0.19.0
GitCommit: de40ad0
which is interesting, because apt update does not report any new packages available. I’m using the official docker debian repo here.
# lsmod | grep ip6
ip6table_security 16384 0
ip6table_raw 16384 0
ip6table_mangle 16384 0
ip6table_nat 16384 1
ip6table_filter 16384 1
ip6_tables 36864 5 ip6table_filter,ip6table_raw,ip6table_nat,ip6table_mangle,ip6table_security
nf_nat 57344 4 ip6table_nat,xt_nat,iptable_nat,xt_MASQUERADE
x_tables 61440 19 ip6table_filter,xt_conntrack,ip6table_raw,iptable_filter,iptable_security,ip6table_nat,xt_multiport,xt_tcpudp,xt_addrtype,xt_nat,ip6_tables,ipt_REJECT,iptable_raw,ip_tables,iptable_nat,ip6table_mangle,ip6table_security,xt_MASQUERADE,iptable_mangle
(I have no idea what any of this means)
ETNyx This setup without DNAT seems to keep host as destination. Not sure how packet get into MC postfix but it could explain open relay by triggering permit_mynetworks since source could be seen from host?
Wouldn’t that mean this is a problem all mailcows have?
DocFraggle Yes, it is possible that due to the missing DNAT rule the traffic via the public IPv6 address is routed internally through an interface in the [fd4d:6169:6c63:6f77::]/64 network, and because it’s included in mynetworks it’s allowed to relay
Is there a way to figure out if this is the case?