esackbauer practically - no. but i want to know why dns resolver stops working even after restoring original iptables configuration, because it also affects other iptables setups
Jjakka
- Aug 9, 2024
- Joined Aug 6, 2024
- 2 discussions
- 4 posts
- 0 best answers
- Post posted... wait what?
esackbauer blocking http and https ports since i am going to use reverse proxy
i have been trying to find out how to properly enable firewall for docker and encountered an interesting beheviour of unbound container:
- installing mailcow - health check passes. i am able to dig through @127.0.0.1 in the container
- enforcing iptables rules:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m multiport --dport 22,443 -j ACCEPT
iptables -P INPUT DROP
iptables -I DOCKER-USER -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I DOCKER-USER 2 -i eth0 -p tcp -m multiport --dport 25,110,143,465,587,993,995,4190 -j ACCEPT
iptables -I DOCKER-USER 3 -i eth0 -j DROP - unbound does not pass health check, unable to dig
- rolling back iptable rules:
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -F DOCKER-USER
iptables -A DOCKER-USER -j RETURN - unbound does not pass health check, unable to dig
can someone explain why this happens?
I have been trying to make mailcow work on Alpine, and it kind of works but this container refuses to connect to internet (update.sh didnt help)
docker version:26.1.5 API: 1.45
docker compose version:2.27.0
iptables INPUT and DOCKER-USER chains:
Chain INPUT (policy DROP 435K packets, 48M bytes)
pkts bytes target prot opt in out source destination
7555 8843K ACCEPT all -- lo any anywhere anywhere
1335K 2980M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
3461 202K ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:https
464 35893 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
1142 124K ACCEPT all -- eth0 any anywhere anywhere ctstate RELATED,ESTABLISHED
16 800 ACCEPT tcp -- eth0 any anywhere anywhere multiport dports smtp,pop3,imap2,submissions,submission,imaps,pop3s,sieve
15 708 DROP all -- eth0 any anywhere anywhere
41609 20M RETURN all -- any any anywhere anywhereinside the container dig fails:
dig +short +timeout=2 +tries=1 hub.docker.com @127.0.0.1
;; communications error to 127.0.0.1#53: timed out
;; no servers could be reachedtested the same setup (mailcow.conf, iptables setup) on debian machine, container was able to pass the health check