iptables and nfttables

[engineertrooper]

Preinformation: ubuntu server (24.04) vps runs docker with containers for

• nginx
• gitea (works fine behind reverse proxy)
• postgreSQL
• mailcow

Documentation Status: The documentation shows a workaround with iptables and links two blog articles.

• first link is blog.donnex.net/docker-and-iptables-filtering/ gives empty html
• second link can be reached unrouted.io
• (version of master that's meant: docs/getstarted/prerequisite-system.de.md -> add ICMP requirement for outgoing connections #805)

Issue:
The documentation gives a workaround from 2017 for iptables. Since ubuntu 20.04 uses iptables-nft and the command iptables is like a wrapper around nfttables (for now). It is also meantioned inside the mailcow blog -> add nfttables support.

The community works with nfttables. -> Issues inside mailcow-dockerized

• (Compatibility Issue Between iptables-nft, nftables and netfilter-mailcow mailcow-dockerized#5847)
• (Updating to mailcow 2024-01e with Docker 25.0.3 breaks iptables / UFW usage on Debian 10 mailcow-dockerized#5735)

Or Forum still refers to iptables: (https://community.mailcow.email/d/2713-how-to-secure-mailcow-server-with-a-firewall-in-ubuntu)

Conclusion: The docs should be updated? But I am still in learning phase. Can someone with more knowledge help out please? (Or do I miss something here?)

Thanks.

[engineertrooper]

official information of nfttables migration from iptables -> (https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables)

[asineth0]

Posted a fix in another issue, posting here in case it helps anyone.

Add this to your docker-compose.override.yml file. Tested this and it seems to work fine.

services:
    netfilter-mailcow:
      entrypoint: "python -u /app/main.py iptables"

The normal entrypoint for netfilter-mailcow tries to autodetect whether to use iptables or nftables as the backend and for some reason it was deciding to use nftables, by overriding the entrypoint, you can just force it to use iptables.