J
jakka

  • Aug 9, 2024
  • Joined Aug 6, 2024
  • 2 discussions
  • 4 posts
  • 0 best answers
  • Post posted... wait what?
  • In unbound and iptables

    esackbauer practically - no. but i want to know why dns resolver stops working even after restoring original iptables configuration, because it also affects other iptables setups

    • In unbound and iptables

      esackbauer blocking http and https ports since i am going to use reverse proxy

      • In unbound and iptables

        i have been trying to find out how to properly enable firewall for docker and encountered an interesting beheviour of unbound container:

        1. installing mailcow - health check passes. i am able to dig through @127.0.0.1 in the container
        2. enforcing iptables rules:
          iptables -A INPUT -i lo -j ACCEPT
          iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
          iptables -A INPUT -i eth0 -p tcp -m multiport --dport 22,443 -j ACCEPT
          iptables -P INPUT DROP
          iptables -I DOCKER-USER -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
          iptables -I DOCKER-USER 2 -i eth0 -p tcp -m multiport --dport 25,110,143,465,587,993,995,4190 -j ACCEPT
          iptables -I DOCKER-USER 3 -i eth0 -j DROP
        3. unbound does not pass health check, unable to dig
        4. rolling back iptable rules:
          iptables -P INPUT ACCEPT
          iptables -F INPUT
          iptables -F DOCKER-USER
          iptables -A DOCKER-USER -j RETURN
        5. unbound does not pass health check, unable to dig

        can someone explain why this happens?

        • In mailcowdockerized-unbound-mailcow-1 unhealthy

          I have been trying to make mailcow work on Alpine, and it kind of works but this container refuses to connect to internet (update.sh didnt help)
          docker version: 26.1.5 API: 1.45
          docker compose version: 2.27.0
          iptables INPUT and DOCKER-USER chains:
          Chain INPUT (policy DROP 435K packets, 48M bytes)
          pkts bytes target prot opt in out source destination
          7555 8843K ACCEPT all -- lo any anywhere anywhere
          1335K 2980M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
          3461 202K ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:https
          464 35893 ACCEPT tcp -- eth0 any anywhere anywhere tcp dpt:ssh
          Chain DOCKER-USER (1 references)
          pkts bytes target prot opt in out source destination
          0 0 ACCEPT all -- lo any anywhere anywhere
          1142 124K ACCEPT all -- eth0 any anywhere anywhere ctstate RELATED,ESTABLISHED
          16 800 ACCEPT tcp -- eth0 any anywhere anywhere multiport dports smtp,pop3,imap2,submissions,submission,imaps,pop3s,sieve
          15 708 DROP all -- eth0 any anywhere anywhere
          41609 20M RETURN all -- any any anywhere anywhere

          inside the container dig fails:
          dig +short +timeout=2 +tries=1 hub.docker.com @127.0.0.1
          ;; communications error to 127.0.0.1#53: timed out
          ;; no servers could be reached

          tested the same setup (mailcow.conf, iptables setup) on debian machine, container was able to pass the health check