Netfilter is creating duplicate CHains in iptables and ip6tables. Infinit restart loop. Same as unanswered issue # 6795

[Dvalin21]

Contribution guidelines

• I've read the contribution guidelines and wholeheartedly agree

Checklist prior issue creation

• I understand that failure to follow below instructions may cause this issue to be closed.
• I understand that vague, incomplete or inaccurate information may cause this issue to be closed.
• I understand that this form is intended solely for reporting software bugs and not for support-related inquiries.
• I understand that all responses are voluntary and community-driven, and do not constitute commercial support.
• I confirm that I have reviewed previous issues to ensure this matter has not already been addressed.
• I confirm that my environment meets all prerequisite requirements as specified in the official documentation.

Description

I 've mentioned this before in Telegram only to be told this was impossible. Apparently I wasn't the only one to have this issue as you can see here #6795 As its causing duplicate entries, it causes dns issues as you can see below. Unable to access Webui.

Steps to reproduce:

1. This seems to happen at random. Not sure entirely sure what causes it.
2. I could be possible when I run docker compose down; docker compose up -d
3. I have two mail cow instances setup on two different networks. The other network does not do this.
4. The affected instance is up to date.
5. AND no, I didn't put these entries in myself....

Logs:

netfilter-mailcow-1  | # Warning: table ip filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | # Warning: table ip nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | # Warning: table ip6 filter is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | # Warning: table ip6 nat is managed by iptables-nft, do not touch!
netfilter-mailcow-1  | 2026-01-04 00:37:02 INFO: Using NFTables backend
netfilter-mailcow-1  | 2026-01-04 00:37:02 INFO: Clearing all bans
netfilter-mailcow-1  | 2026-01-04 00:37:02 INFO: Initializing mailcow netfilter chain
netfilter-mailcow-1  | 2026-01-04 00:37:02 INFO: Setting MAILCOW isolation
netfilter-mailcow-1  | 2026-01-04 00:37:02 INFO: Watching Redis channel F2B_CHANNEL
netfilter-mailcow-1  | 2026-01-04 00:37:02 INFO: Denylist was changed, it has 1 entries
netfilter-mailcow-1  | 2026-01-04 00:37:02 CRIT: Added host/network 81.30.107.0/24 to denylist


unbound-mailcow-1    | 2026-01-04 00:42:03: Healthcheck: DNS Resolution Failed on attempt 2 for hub.docker.com! Trying again...
unbound-mailcow-1    | 2026-01-04 00:42:05: Healthcheck: DNS Resolution Failed on attempt 3 for hub.docker.com! Trying again...
unbound-mailcow-1    | 2026-01-04 00:42:05: Healthcheck: DNS Resolution not possible after 3 attempts for hub.docker.com... Gave up!
unbound-mailcow-1    | 2026-01-04 00:42:05: Healthcheck: Too many DNS failures (1 failures allowed, you got 3 failures), marking Healthcheck as unhealthy...

Temp fix: Go and clean up iptables.  
Long term fix, I would imagine [#6795 ](https://github.com/mailcow/mailcow-dockerized/issues/6795)

Which branch are you using?

master (stable)

Which architecture are you using?

x86_64

Operating System:

running Ubuntu 24.04.3 LTS

Server/VM specifications:

CPU 8x Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz

Is Apparmor, SELinux or similar active?

Yes

Virtualization technology:

None

Docker version:

Docker version 29.1.3, build f52814d

docker-compose version or docker compose version:

Docker Compose version v5.0.1

mailcow version:

2025-12a

Reverse proxy:

Zoraxy (https://github.com/tobychui/zoraxy)

Logs of git diff:

NA

Logs of iptables -L -vn:

Chain INPUT (policy DROP 7127 packets, 1324K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     161K  188M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
2     162K  188M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
3    20529  165M ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           
4     133K   21M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
5        0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
6        0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25
7        0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
8        0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
9        0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110
10       0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143
11       6   312 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
12       0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465
13       0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587
14       0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:873
15       0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993
16       0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995
17       0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190
18       0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4080
19       0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7443
20       0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8084
21       1    60 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8000
22     103  6180 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9090
23       0     0 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
24       0     0 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:11335
25       0     0 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:11445
26     406 37080 ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137
27     576  139K ACCEPT     17   --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138
28       0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139
29       0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
30       0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9880
31       0     0 ACCEPT     6    --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:9443

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     915K  337M MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */
2     881K  335M DOCKER-USER  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
3     881K  335M DOCKER-FORWARD  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
4        0     0 MAILCOW    0    --  *      *       0.0.0.0/0            0.0.0.0/0            /* mailcow */

Chain OUTPUT (policy ACCEPT 176K packets, 420M bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (4 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.13          tcp dpt:3306
2        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:12345
3        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:4190
4        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:995
5        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:993
6        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:143
7        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.250         tcp dpt:110
8        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:587
9        0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:465
10       0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.253         tcp dpt:25
11       0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.249         tcp dpt:6379
12       0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.3           tcp dpt:8084
13       0     0 ACCEPT     6    --  !br-mailcow br-mailcow  0.0.0.0/0            172.22.1.3           tcp dpt:7443
14      10   600 ACCEPT     6    --  !br-964aff83e1dd br-964aff83e1dd  0.0.0.0/0            172.18.0.2           tcp dpt:80
15       0     0 ACCEPT     6    --  !br-05a342260808 br-05a342260808  0.0.0.0/0            172.19.0.2           tcp dpt:8000
16   88679 4613K ACCEPT     6    --  !br-05a342260808 br-05a342260808  0.0.0.0/0            172.19.0.2           tcp dpt:443
17     258 14823 ACCEPT     6    --  !br-05a342260808 br-05a342260808  0.0.0.0/0            172.19.0.2           tcp dpt:80
18       0     0 DROP       0    --  !br-05a342260808 br-05a342260808  0.0.0.0/0            0.0.0.0/0           
19       0     0 DROP       0    --  !br-964aff83e1dd br-964aff83e1dd  0.0.0.0/0            0.0.0.0/0           
20       0     0 DROP       0    --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0           
21       0     0 DROP       0    --  !docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-BRIDGE (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1    88937 4628K DOCKER     0    --  *      br-05a342260808  0.0.0.0/0            0.0.0.0/0           
2       10   600 DOCKER     0    --  *      br-964aff83e1dd  0.0.0.0/0            0.0.0.0/0           
3        0     0 DOCKER     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0           
4        0     0 DOCKER     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-CT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1    64193   34M ACCEPT     0    --  *      br-05a342260808  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
2       87 18449 ACCEPT     0    --  *      br-964aff83e1dd  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
3    20479 8057K ACCEPT     0    --  *      br-mailcow  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
4        0     0 ACCEPT     0    --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain DOCKER-FORWARD (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     881K  335M DOCKER-CT  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
2     796K  293M DOCKER-INTERNAL  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
3     796K  293M DOCKER-BRIDGE  0    --  *      *       0.0.0.0/0            0.0.0.0/0           
4     668K  286M ACCEPT     0    --  br-05a342260808 *       0.0.0.0/0            0.0.0.0/0           
5        0     0 ACCEPT     0    --  br-964aff83e1dd *       0.0.0.0/0            0.0.0.0/0           
6    39100 2539K ACCEPT     0    --  br-mailcow *       0.0.0.0/0            0.0.0.0/0           
7        0     0 ACCEPT     0    --  docker0 *       0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-INTERNAL (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain MAILCOW (4 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       0    --  *      *       81.30.107.0/24       0.0.0.0/0           
2        0     0 DROP       6    --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0            /* mailcow isolation */
3        0     0 DROP       0    --  *      *       81.30.107.0/24       0.0.0.0/0           
4    34035 1991K DROP       6    --  !br-mailcow br-mailcow  0.0.0.0/0            0.0.0.0/0            /* mailcow isolation */

Logs of ip6tables -L -vn:

Chain INPUT (policy DROP 3434 packets, 516K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     3414  510K MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */
2     3436  516K MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */
3     3436  516K MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */
4     3436  516K MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */
5     3436  516K MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */
6     3436  516K MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */
7        2   152 ACCEPT     0    --  lo     *       ::/0                 ::/0                
8        0     0 ACCEPT     0    --  *      *       ::/0                 ::/0                 ctstate RELATED,ESTABLISHED
9        0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:22
10       0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:25
11       0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:53
12       0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:80
13       0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:110
14       0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:143
15       0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:443
16       0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:465
17       0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:587
18       0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:873
19       0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:993
20       0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:995
21       0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:4190
22       0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:4080
23       0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:7443
24       0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:8084
25       0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:8000
26       0     0 ACCEPT     6    --  *      *       ::/0                 ::/0                 tcp dpt:9090
27       0     0 ACCEPT     17   --  *      *       ::/0                 ::/0                 udp dpt:53
28       0     0 ACCEPT     17   --  *      *       ::/0                 ::/0                 udp dpt:11335
29       0     0 ACCEPT     17   --  *      *       ::/0                 ::/0                 udp dpt:11445

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */
2        0     0 DOCKER-USER  0    --  *      *       ::/0                 ::/0                
3        0     0 DOCKER-FORWARD  0    --  *      *       ::/0                 ::/0                
4        0     0 MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */
5        0     0 MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */
6        0     0 MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */
7        0     0 MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */
8        0     0 MAILCOW    0    --  *      *       ::/0                 ::/0                 /* mailcow */

Chain OUTPUT (policy ACCEPT 16026 packets, 1045K bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (0 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-BRIDGE (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-CT (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-FORWARD (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DOCKER-CT  0    --  *      *       ::/0                 ::/0                
2        0     0 DOCKER-INTERNAL  0    --  *      *       ::/0                 ::/0                
3        0     0 DOCKER-BRIDGE  0    --  *      *       ::/0                 ::/0                

Chain DOCKER-INTERNAL (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER-USER (1 references)
num   pkts bytes target     prot opt in     out     source               destination         

Chain MAILCOW (12 references)
num   pkts bytes target     prot opt in     out     source               destination

Logs of iptables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 32031 packets, 3244K bytes)
 pkts bytes target     prot opt in     out     source               destination         
94263 4900K DOCKER     0    --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 334 packets, 42583 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3493 packets, 176K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     0    --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 94074 packets, 4897K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  0    --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
 1667  248K MASQUERADE  0    --  *      !br-05a342260808  172.19.0.0/16        0.0.0.0/0           
25686 1693K MASQUERADE  0    --  *      !br-mailcow  172.22.1.0/24        0.0.0.0/0           
    0     0 MASQUERADE  0    --  *      !br-964aff83e1dd  172.18.0.0/16        0.0.0.0/0           
  638 29499 MASQUERADE  0    --  *      !br-442f00620afc  172.19.0.0/16        0.0.0.0/0           
  637 29439 MASQUERADE  0    --  *      !br-cffb1adb3dda  172.18.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  0    --  *      !br-847e5c2f7998  172.19.0.0/16        0.0.0.0/0           

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
  267 15299 DNAT       6    --  !br-05a342260808 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.19.0.2:80
91589 4765K DNAT       6    --  !br-05a342260808 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.19.0.2:443
    0     0 DNAT       6    --  !br-05a342260808 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8000 to:172.19.0.2:8000
   10   600 DNAT       6    --  !br-964aff83e1dd *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4080 to:172.18.0.2:80
   81  4860 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:7443 to:172.22.1.3:7443
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8084 to:172.22.1.3:8084
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:7654 to:172.22.1.249:6379
    8   408 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 to:172.22.1.253:25
   37  2140 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:465 to:172.22.1.253:465
    8   400 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:587 to:172.22.1.253:587
 1105 66200 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:110 to:172.22.1.250:110
   15   792 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:143 to:172.22.1.250:143
    7   316 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:993 to:172.22.1.250:993
   41  2364 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:995 to:172.22.1.250:995
   11   628 DNAT       6    --  !br-mailcow *       0.0.0.0/0            0.0.0.0/0            tcp dpt:4190 to:172.22.1.250:4190
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:19991 to:172.22.1.250:12345
    0     0 DNAT       6    --  !br-mailcow *       0.0.0.0/0            127.0.0.1            tcp dpt:13306 to:172.22.1.13:3306

Logs of ip6tables -L -vn -t nat:

Chain PREROUTING (policy ACCEPT 314 packets, 98724 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     0    --  *      *       ::/0                 ::/0                 ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 13838 packets, 707K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     0    --  *      *       ::/0                !::1                  ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 13838 packets, 707K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destinatio

DNS check:

;; communications error to 172.22.1.254#53: connection refused
;; communications error to 172.22.1.254#53: connection refused
;; communications error to 172.22.1.254#53: connection refused
;; no servers could be reached

[Dvalin21]

So will mine be ignored as well?

[Dvalin21]

O.o?

[R0bles]

I don't know who the hell though spamming iptables was a good idea. I run mailcow with other services that are fighting to be the first in INPUT and FORWARD chains and this is not a good practice. Should be a way to disable it easily. I manage fail2ban outside mailcow and even checking the option Manage Fail2Ban externally in the UI keeps spamming new rules in INPUT and FORWARD calling MAILCOW chain 🤦

It seems the only answer we receive is that this is not planned or supported.

I don't know if your use case is the opposite and even using their 'netfilter' solution is recreating the rules again and again but at least they should delete old ones. I ended up with thousands of rules calling MAILCOW chain until I was aware of this behavior.

May look at it when I have time to try to disable this, at least for me.

#5801 #6241 #5798 #6795

Edit: for reference the code responsible of this behavior is here: NFTables.py

[Dvalin21]

Its exactly my case, no matter how many times I go in and delete the duplicates, they always come back some time later. From the look of the others, this issues been ignored for a few years now.

…

On Wed, Jan 28, 2026 at 7:40 AM Robles ***@***.***> wrote: *R0bles* left a comment (mailcow/mailcow-dockerized#6995) <#6995 (comment)> I don't know who the hell though spamming iptables was a good idea. I run mailcow with other services that are fighting to be the first in INPUT and FORWARD chains and this is not a good practice. Should be a way to disable it easily. I manage fail2ban outside mailcow and even checking the option Manage Fail2Ban externally in the UI keeps spamming new rules in INPUT and FORWARD calling MAILCOW chain 🤦 It seems the only answer we receive is that this is not planned or supported. I don't know if your use case is the opposite and even using their 'netfilter' solution is recreating the rules again and again but at least they should delete old ones. I ended up with thousands of rules calling MAILCOW chain until I was aware of this behavior. May look at it when I have time to try to disable this, at least for me. #5801 <#5801> #6241 <#6241> #5798 <#5798> — Reply to this email directly, view it on GitHub <#6995 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABY7PVMJM7ONAW34DC36P3D4JC36XAVCNFSM6AAAAACQUEQ6SWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTQMJRGM3DSMBXHA> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[FreddleSpl0it]

I'm not really a fan of the netfilter service and would love to get rid of it in favor of a full solution like CrowdSec or something else. Unfortunately, I rarely find the time to work on mailcow lately, especially for larger changes.

[R0bles]

Its exactly my case, no matter how many times I go in and delete the
duplicates, they always come back some time later. From the look of the others, this issues been ignored for a few years now.
…

Maybe you have some kind of service, security app or other app that creates a temporary rule on top of the MAILCOW rule, or somehow it cannot determine if MAILCOW rule is on top of everything.

I use Ubuntu with nftables. If you login into mailcow as admin and watch the netfilter module logs (use crit as a search filter) you'll see messages such as:

MAILCOW target not found in ip forward table, restarting container to fix it...
MAILCOW target is in position 5 in the ip6 forward table, restarting container to fix it...

Every time mailcow restarts the netfilter module container, it creates a new rule in the filter table and the INPUT and FORWARD chains at the very top (position 1), calling the MAILCOW chain, no matter if the rule is already defined at any other position in those chains. That means you end up with firewall tables getting spammed over time. I literally ended up with more than 9,000 entries calling the MAILCOW chain.

A quick and dirty workaround to prevent this for now is to comment out lines 34-47 in NFTables.py at least to prevent duplicate rules, and then remove all rules calling the MAILCOW chain while keeping a single one as close to the top as possible if you use the integrated fail2ban in mailcow. Do not do this unless you fully understand the consequences and know what you are doing. As system administrators, we should know how to operate our firewalls. I know mailcow is designed to be used in a separate VM or server and not mixed with other services, but sometimes that is simply not possible.

The netfilter container uses an Alpine-based image, so you can do: docker exec -it mailcowdockerized-netfilter-mailcow-1 sh and then use vi modules/NFTables.py to comment out those lines. After restarting the container, it should stop spamming the firewall with new rules. I know this is a horrible temporary fix and that it will break every time the container is recreated or mailcow is updated, but at least it’s fast and easy. Still, this is definitely something that should be looked at and fixed properly in the code and patched with a new container image. Mailcow maintainers should figure out the best approach here, because this is a serious issue.

I'm not really a fan of the netfilter service and would love to get rid of it in favor of a full solution like CrowdSec or something else. Unfortunately, I rarely find the time to work on mailcow lately, especially for larger changes.

That’s a good point. Or at least make things optional or more modular. At the very least, it should not behave this way when we explicitly configure via the UI that filtering is managed outside of mailcow.

It’s not that bad overall. Obviously there are better alternatives security-wise, but I’m not familiar with the project code and don’t have the time right now either.

Mailcow works really well in the end despite this. Thanks to all contributors who make this project possible.

[Dvalin21]

Its exactly my case, no matter how many times I go in and delete the
duplicates, they always come back some time later. From the look of the others, this issues been ignored for a few years now.
…

Maybe you have some kind of service, security app or other app that creates a temporary rule on top of the MAILCOW rule, or somehow it cannot determine if MAILCOW rule is on top of everything.

I use Ubuntu with nftables. If you login into mailcow as admin and watch the netfilter module logs (use crit as a search filter) you'll see messages such as:

MAILCOW target not found in ip forward table, restarting container to fix it...
MAILCOW target is in position 5 in the ip6 forward table, restarting container to fix it...

Every time mailcow restarts the netfilter module container, it creates a new rule in the filter table and the INPUT and FORWARD chains at the very top (position 1), calling the MAILCOW chain, no matter if the rule is already defined at any other position in those chains. That means you end up with firewall tables getting spammed over time. I literally ended up with more than 9,000 entries calling the MAILCOW chain.

A quick and dirty workaround to prevent this for now is to comment out lines 34-47 in NFTables.py at least to prevent duplicate rules, and then remove all rules calling the MAILCOW chain while keeping a single one as close to the top as possible if you use the integrated fail2ban in mailcow. Do not do this unless you fully understand the consequences and know what you are doing. As system administrators, we should know how to operate our firewalls. I know mailcow is designed to be used in a separate VM or server and not mixed with other services, but sometimes that is simply not possible.

The netfilter container uses an Alpine-based image, so you can do: docker exec -it mailcowdockerized-netfilter-mailcow-1 sh and then use vi modules/NFTables.py to comment out those lines. After restarting the container, it should stop spamming the firewall with new rules. I know this is a horrible temporary fix and that it will break every time the container is recreated or mailcow is updated, but at least it’s fast and easy. Still, this is definitely something that should be looked at and fixed properly in the code and patched with a new container image. Mailcow maintainers should figure out the best approach here, because this is a serious issue.

I'm not really a fan of the netfilter service and would love to get rid of it in favor of a full solution like CrowdSec or something else. Unfortunately, I rarely find the time to work on mailcow lately, especially for larger changes.

That’s a good point. Or at least make things optional or more modular. At the very least, it should not behave this way when we explicitly configure via the UI that filtering is managed outside of mailcow.

It’s not that bad overall. Obviously there are better alternatives security-wise, but I’m not familiar with the project code and don’t have the time right now either.

Mailcow works really well in the end despite this. Thanks to all contributors who make this project possible.

Yeah, theres no other service I have installed that could or would. I have mail cow installed on ubuntu server as well. Whats fun I have it installed on a different server on a different network but its in a proxmox lxc container. And it works better than the one thats on ubuntu server. I haven't had that issue but maybe once after several months of hosting it. I think who created #6795 had the right idea and apparently a simple fix.

[dehlen]

I am having the same issue. I reverted my custom iptable rules for now and only allow specific ports via hetzner firewall but this should be handled better in netfilter probably. I cant add a rule to restrict ssh to wireguard interface f.e because mailcow always messes with the INPUT chain. Anyone with a working setup which works everytime after reboot as well?

[Dvalin21]

This bug is causing a real problem. Important documents that were needed to be sent werent because this issue AGAIN this morning. I really like this software, but its starting to become unreliable. More over, more disturbing that its been this long and we haven't heard a thing! I don't have much in way in supporting with money so I try to advertise this product. It maybe time for me to start looking else where.