but then would my server be open in the internet, because there is no other security feature?
cnc24
- 4 Jan
- Joined 4 Jan
- 1 discussion
- 9 posts
- 0 best answers
- Post posted... wait what?
- Edited
strange here again the output with ufw status command before
root@mail:~# ufw status
Status: inactive
root@mail:~# C
root@mail:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
ufw-before-logging-input all – anywhere anywhere
ufw-before-input all – anywhere anywhere
ufw-after-input all – anywhere anywhere
ufw-after-logging-input all – anywhere anywhere
ufw-reject-input all – anywhere anywhere
ufw-track-input all – anywhere anywhereChain FORWARD (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ufw-before-logging-forward all – anywhere anywhere
ufw-before-forward all – anywhere anywhere
ufw-after-forward all – anywhere anywhere
ufw-after-logging-forward all – anywhere anywhere
ufw-reject-forward all – anywhere anywhere
ufw-track-forward all – anywhere anywhereChain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all – anywhere anywhere
ufw-before-output all – anywhere anywhere
ufw-after-output all – anywhere anywhere
ufw-after-logging-output all – anywhere anywhere
ufw-reject-output all – anywhere anywhere
ufw-track-output all – anywhere anywhereChain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
RETURN all – anywhere anywhereChain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all – anywhere anywhere
DROP all – anywhere anywhere
RETURN all – anywhere anywhereChain DOCKER-USER (1 references)
target prot opt source destination
RETURN all – anywhere anywhereChain MAILCOW (2 references)
target prot opt source destination
DROP all – 212.70.149.71 anywhere
DROP tcp – anywhere anywhere /* mailcow isolation */Chain ufw-after-forward (1 references)
target prot opt source destinationChain ufw-after-input (1 references)
target prot opt source destinationChain ufw-after-logging-forward (1 references)
target prot opt source destinationChain ufw-after-logging-input (1 references)
target prot opt source destinationChain ufw-after-logging-output (1 references)
target prot opt source destinationChain ufw-after-output (1 references)
target prot opt source destinationChain ufw-before-forward (1 references)
target prot opt source destinationChain ufw-before-input (1 references)
target prot opt source destinationChain ufw-before-logging-forward (1 references)
target prot opt source destinationChain ufw-before-logging-input (1 references)
target prot opt source destinationChain ufw-before-logging-output (1 references)
target prot opt source destinationChain ufw-before-output (1 references)
target prot opt source destinationChain ufw-reject-forward (1 references)
target prot opt source destinationChain ufw-reject-input (1 references)
target prot opt source destinationChain ufw-reject-output (1 references)
target prot opt source destinationChain ufw-track-forward (1 references)
target prot opt source destinationChain ufw-track-input (1 references)
target prot opt source destinationChain ufw-track-output (1 references)
target prot opt source destination
root@mail:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere anywhere ADDRTYPE match dst-type LOCALChain INPUT (policy ACCEPT)
target prot opt source destinationChain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere !localhost/8 ADDRTYPE match dst-type LOCALChain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all – 172.17.0.0/16 anywhere
MASQUERADE tcp – 172.22.1.5 172.22.1.5 tcp dpt:8983
MASQUERADE tcp – 172.22.1.249 172.22.1.249 tcp dpt:redis
MASQUERADE tcp – 172.22.1.6 172.22.1.6 tcp dpt:mysql
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imap2
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imaps
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3s
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:sieve
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:12345Chain DOCKER (2 references)
target prot opt source destination
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
DNAT tcp – anywhere localhost tcp dpt:18983 to:172.22.1.5:8983
DNAT tcp – anywhere localhost tcp dpt:7654 to:172.22.1.249:6379
DNAT tcp – anywhere localhost tcp dpt:13306 to:172.22.1.6:3306
DNAT tcp – anywhere anywhere tcp dpt:pop3 to:172.22.1.250:110
DNAT tcp – anywhere anywhere tcp dpt:imap2 to:172.22.1.250:143
DNAT tcp – anywhere anywhere tcp dpt:imaps to:172.22.1.250:993
DNAT tcp – anywhere anywhere tcp dpt:pop3s to:172.22.1.250:995
DNAT tcp – anywhere anywhere tcp dpt:sieve to:172.22.1.250:4190
DNAT tcp – anywhere localhost tcp dpt:19991 to:172.22.1.250:12345
root@mail:~#I don’t know what happend excatly, but suddenly after 9 minitues the unbound container startet to get healthy
Now i’m getting again emails!
I try to activate now ufw again, or what do you prefer?
Here the output:
`root@mail:/opt/mailcow-dockerized# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
ufw-before-logging-input all – anywhere anywhere
ufw-before-input all – anywhere anywhere
ufw-after-input all – anywhere anywhere
ufw-after-logging-input all – anywhere anywhere
ufw-reject-input all – anywhere anywhere
ufw-track-input all – anywhere anywhereChain FORWARD (policy ACCEPT)
target prot opt source destination
MAILCOW all – anywhere anywhere /* mailcow */
DOCKER-USER all – anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere
ufw-before-logging-forward all – anywhere anywhere
ufw-before-forward all – anywhere anywhere
ufw-after-forward all – anywhere anywhere
ufw-after-logging-forward all – anywhere anywhere
ufw-reject-forward all – anywhere anywhere
ufw-track-forward all – anywhere anywhereChain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all – anywhere anywhere
ufw-before-output all – anywhere anywhere
ufw-after-output all – anywhere anywhere
ufw-after-logging-output all – anywhere anywhere
ufw-reject-output all – anywhere anywhere
ufw-track-output all – anywhere anywhereChain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp – anywhere 172.22.1.5 tcp dpt:8983
ACCEPT tcp – anywhere 172.22.1.249 tcp dpt:redis
ACCEPT tcp – anywhere 172.22.1.6 tcp dpt:mysql
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imap2
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:imaps
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:pop3s
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:sieve
ACCEPT tcp – anywhere 172.22.1.250 tcp dpt:12345Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all – anywhere anywhere
RETURN all – anywhere anywhereChain DOCKER-ISOLATION-STAGE-2 (2 references)
target prot opt source destination
DROP all – anywhere anywhere
DROP all – anywhere anywhere
RETURN all – anywhere anywhereChain DOCKER-USER (1 references)
target prot opt source destination
RETURN all – anywhere anywhereChain MAILCOW (2 references)
target prot opt source destination
DROP all – 212.70.149.71 anywhere
DROP tcp – anywhere anywhere /* mailcow isolation */Chain ufw-after-forward (1 references)
target prot opt source destinationChain ufw-after-input (1 references)
target prot opt source destinationChain ufw-after-logging-forward (1 references)
target prot opt source destinationChain ufw-after-logging-input (1 references)
target prot opt source destinationChain ufw-after-logging-output (1 references)
target prot opt source destinationChain ufw-after-output (1 references)
target prot opt source destinationChain ufw-before-forward (1 references)
target prot opt source destinationChain ufw-before-input (1 references)
target prot opt source destinationChain ufw-before-logging-forward (1 references)
target prot opt source destinationChain ufw-before-logging-input (1 references)
target prot opt source destinationChain ufw-before-logging-output (1 references)
target prot opt source destinationChain ufw-before-output (1 references)
target prot opt source destinationChain ufw-reject-forward (1 references)
target prot opt source destinationChain ufw-reject-input (1 references)
target prot opt source destinationChain ufw-reject-output (1 references)
target prot opt source destinationChain ufw-track-forward (1 references)
target prot opt source destinationChain ufw-track-input (1 references)
target prot opt source destinationChain ufw-track-output (1 references)
target prot opt source destination `and the output of the other comand
`root@mail:/opt/mailcow-dockerized# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere anywhere ADDRTYPE match dst-type LOCALChain INPUT (policy ACCEPT)
target prot opt source destinationChain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere !localhost/8 ADDRTYPE match dst-type LOCALChain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all – 172.17.0.0/16 anywhere
MASQUERADE tcp – 172.22.1.5 172.22.1.5 tcp dpt:8983
MASQUERADE tcp – 172.22.1.249 172.22.1.249 tcp dpt:redis
MASQUERADE tcp – 172.22.1.6 172.22.1.6 tcp dpt:mysql
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imap2
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:imaps
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:pop3s
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:sieve
MASQUERADE tcp – 172.22.1.250 172.22.1.250 tcp dpt:12345Chain DOCKER (2 references)
target prot opt source destination
RETURN all – anywhere anywhere
RETURN all – anywhere anywhere
DNAT tcp – anywhere localhost tcp dpt:18983 to:172.22.1.5:8983
DNAT tcp – anywhere localhost tcp dpt:7654 to:172.22.1.249:6379
DNAT tcp – anywhere localhost tcp dpt:13306 to:172.22.1.6:3306
DNAT tcp – anywhere anywhere tcp dpt:pop3 to:172.22.1.250:110
DNAT tcp – anywhere anywhere tcp dpt:imap2 to:172.22.1.250:143
DNAT tcp – anywhere anywhere tcp dpt:imaps to:172.22.1.250:993
DNAT tcp – anywhere anywhere tcp dpt:pop3s to:172.22.1.250:995
DNAT tcp – anywhere anywhere tcp dpt:sieve to:172.22.1.250:4190
DNAT tcp – anywhere localhost tcp dpt:19991 to:172.22.1.250:12345`I use ufw but i get the same issue without ufw enabled
The docker versions are:
docker compose version
Docker Compose version v2.32.1docker --version
Docker version 27.4.1, build b9d17ea- Edited
I’m running Debian 11 Bullseye. down here the uname -a and dpkg -l Outputs:
root@mail:~# uname -a
Linux mail.senditout.de 5.10.0-33-amd64 #1 SMP Debian 5.10.226-1 (2024-10-03) x86_64 GNU/Linux
root@mail:~# dpkg -l | grep linux-
ii binutils-x86-64-linux-gnu 2.35.2-2 amd64 GNU binary utilities, for x86-64-linux-gnu target
ii firmware-linux-free 20200122-1 all Binary firmware for various drivers in the Linux kernel
ii linux-base 4.6 all Linux image base package
rc linux-image-5.10.0-10-amd64 5.10.84-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-11-amd64 5.10.92-2 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-12-amd64 5.10.103-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-13-amd64 5.10.106-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-14-amd64 5.10.113-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-15-amd64 5.10.120-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-16-amd64 5.10.127-2 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-17-amd64 5.10.136-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-18-amd64 5.10.140-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-19-amd64 5.10.149-2 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-20-amd64 5.10.158-2 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-21-amd64 5.10.162-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-22-amd64 5.10.178-3 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-23-amd64 5.10.179-3 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-24-amd64 5.10.179-5 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-25-amd64 5.10.191-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-26-amd64 5.10.197-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-27-amd64 5.10.205-2 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-28-amd64 5.10.209-2 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-29-amd64 5.10.216-1 amd64 Linux 5.10 for 64-bit PCs (signed)
ii linux-image-5.10.0-32-amd64 5.10.223-1 amd64 Linux 5.10 for 64-bit PCs (signed)
ii linux-image-5.10.0-33-amd64 5.10.226-1 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-8-amd64 5.10.46-5 amd64 Linux 5.10 for 64-bit PCs (signed)
rc linux-image-5.10.0-9-amd64 5.10.70-1 amd64 Linux 5.10 for 64-bit PCs (signed)
ii linux-image-amd64 5.10.226-1 amd64 Linux for 64-bit PCs (meta-package)
ii util-linux-locales 2.36.1-8+deb11u2 all locales files for util-linuxLast Update was at October i think.
yes, the mailcow unbound stays unhealthy and the behaviour is the same as decribed above.
yes i could ping an dig from the host system without problems
Hi guys,
I’m hosting a mailcow instance on netcup VPS Rootserver. Everything is running fine until mailcow version 2024-11b. At this popint i can’t update anymore, because mailcow unbound is Unhealthy. It seems to be that the ping-check fails, but the dig command works. It doesn’t matter if on the host system ufw is enabled or diabled.
Now I’m really unhappy about this fact, that i can’t update to a working mailcow dockerized instance, maybe you could help me out:
Thats what i tried inside the cointainer:
`bash
root@mail:/opt/mailcow-dockerized# docker compose exec unbound-mailcow /bin/bash
99d2b1464fd4:/# ping google.de
PING google.de (216.58.206.67): 56 data bytes
C
— google.de ping statistics —
4 packets transmitted, 0 packets received, 100% packet loss
99d2b1464fd4:/# dig google.de; <<>> DiG 9.18.27 <<>> google.de
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5000
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;google.de. IN A;; ANSWER SECTION:
google.de. 280 IN A 216.58.206.67;; Query time: 15 msec
;; SERVER: 127.0.0.11#53(127.0.0.11) (UDP)
;; WHEN: Sat Jan 04 12:23:21 CET 2025
;; MSG SIZE rcvd: 5499d2b1464fd4:/# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.11:43893 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN -
tcp 0 0 :::53 :::* LISTEN -
udp 0 0 127.0.0.11:48254 0.0.0.0:* -
udp 0 0 0.0.0.0:53 0.0.0.0:* -
udp 0 0 :::53 :::* -
99d2b1464fd4:/# exit
exit
`Please give me some advise what else i could looking for, to find any solution.
Greetings