mirror/docker-mailserver.docker-mailserver
1
0
Fork 0
mirror of https://github.com/docker-mailserver/docker-mailserver.git synced 2025-07-31 08:04:46 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

firewall: replace iptables with nftables (#2505)

Browse source 
* first adjustments to use Fail2Ban with nftables

* replace `iptables` -> `nftables` and adjust tests

nftables lists IPs a bit differently , so the order was adjusted for the
tests to be more flexible.

* line correction in mailserver.env

* change from `.conf` -> `.local` and remove redundant config

* revert HEREDOC to `echo`

Co-authored-by: Casper <casperklein@users.noreply.github.com>
This commit is contained in:
Georg Lauterbach 2022-04-05 15:13:59 +02:00 committed by GitHub
parent 7c150402a0
commit a9305a073f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
10 changed files with 42 additions and 72 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/content/config/environment.md
View file

@ -100,7 +100,7 @@ cap_add:
- NET_ADMIN
```
Otherwise, `iptables` won't be able to ban IPs.
Otherwise, `nftables` won't be able to ban IPs.
##### FAIL2BAN_BLOCKTYPE

12
docs/content/config/security/fail2ban.md
View file

@ -29,7 +29,7 @@ Example configuration volume bind:
```
!!! attention
`docker-mailserver` must be launched with the `NET_ADMIN` capability in order to be able to install the iptable rules that actually ban IP addresses.
`docker-mailserver` must be launched with the `NET_ADMIN` capability in order to be able to install the nftables rules that actually ban IP addresses.
Thus either include `--cap-add=NET_ADMIN` in the `docker run` command, or the equivalent in `docker-compose.yml`:
@ -38,16 +38,6 @@ Example configuration volume bind:
- NET_ADMIN
```
If you don't you will see errors the form of:
```log
iptables -w -X f2b-postfix -- stderr: "getsockopt failed strangely: Operation not permitted\niptables v1.4.21: can't initialize iptabl
es table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.4.21: can'
t initialize iptables table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\n"
2016-06-01 00:53:51,284 fail2ban.action [678]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports smtp,465,submission -
j f2b-postfix
```
## Running fail2ban in a rootless container
[`RootlessKit`][rootless::rootless-kit] is the _fakeroot_ implementation for supporting _rootless mode_ in Docker and Podman. By default RootlessKit uses the [`builtin` port forwarding driver][rootless::port-drivers], which does not propagate source IP addresses.