J
jakka

  • Aug 9, 2024
  • Joined Aug 6, 2024
  • 2 discussions
  • 4 posts
  • 0 best answers
  • Post posted... wait what?
  • esackbauer practically - no. but i want to know why dns resolver stops working even after restoring original iptables configuration, because it also affects other iptables setups

  • esackbauer blocking http and https ports since i am going to use reverse proxy

  • i have been trying to find out how to properly enable firewall for docker and encountered an interesting beheviour of unbound container:

    1. installing mailcow - health check passes. i am able to dig through @127.0.0.1 in the container
    2. enforcing iptables rules:
      iptables -A INPUT -i lo -j ACCEPT
      iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      iptables -A INPUT -i eth0 -p tcp -m multiport --dport 22,443 -j ACCEPT
      iptables -P INPUT DROP
      iptables -I DOCKER-USER -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
      iptables -I DOCKER-USER 2 -i eth0 -p tcp -m multiport --dport 25,110,143,465,587,993,995,4190 -j ACCEPT
      iptables -I DOCKER-USER 3 -i eth0 -j DROP
    3. unbound does not pass health check, unable to dig
    4. rolling back iptable rules:
      iptables -P INPUT ACCEPT
      iptables -F INPUT
      iptables -F DOCKER-USER
      iptables -A DOCKER-USER -j RETURN
    5. unbound does not pass health check, unable to dig

    can someone explain why this happens?

    • I have been trying to make mailcow work on Alpine, and it kind of works but this container refuses to connect to internet (update.sh didnt help)
      docker version: 26.1.5 API: 1.45
      docker compose version: 2.27.0
      iptables INPUT and DOCKER-USER chains:
      Chain INPUT (policy DROP 435K packets, 48M bytes)
      pkts bytes target prot opt in out source destination
      7555 8843K ACCEPT all -- lo any anywhere anywhere
      1335K 2980M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
      3461 202K ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:https
      464 35893 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh

      Chain DOCKER-USER (1 references)
      pkts bytes target prot opt in out source destination
      0 0 ACCEPT all -- lo any anywhere anywhere
      1142 124K ACCEPT all -- eth0 any anywhere anywhere ctstate RELATED,ESTABLISHED
      16 800 ACCEPT tcp -- eth0 any anywhere anywhere multiport dports smtp,pop3,imap2,submissions,submission,imaps,pop3s,sieve
      15 708 DROP all -- eth0 any anywhere anywhere
      41609 20M RETURN all -- any any anywhere anywhere

      inside the container dig fails:
      dig +short +timeout=2 +tries=1 hub.docker.com @127.0.0.1
      ;; communications error to 127.0.0.1#53: timed out
      ;; no servers could be reached

      tested the same setup (mailcow.conf, iptables setup) on debian machine, container was able to pass the health check