For some reason I cannot connect to a postgreSQL server on my LAN. I can ssh into the box and connect using psql just fine. The server is running. But...
psql: error: could not connect to server: Connection refused
Is the server running on host "server1.local" (192.168.1.23) and accepting
TCP/IP connections on port 5432?
I cannot find an open port on that box using nmap for ports 5400-6500:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-03 19:48 EDT
Nmap scan report for 192.168.1.23
Host is up (0.00041s latency).
All 1101 scanned ports on 192.168.1.23 are in ignored states.
Not shown: 1090 filtered tcp ports (no-response), 11 filtered tcp ports (admin-prohibited)
MAC Address: D0:50:99:87:7B:4A (ASRock Incorporation)
Nmap done: 1 IP address (1 host up) scanned in 5.94 seconds
listen_addresses = '*'
Here is my effective pg_hba.conf:
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
host all all 127.0.0.1/32 md5
local replication all trust
host replication all 127.0.0.1/32 trust
host replication all ::1/128 trust
host all user1 192.168.1.4 255.255.255.0 md5
host all user1 192.168.1.24 255.255.255.0 md5
host all user1 192.168.1.0/24 md5
host all all 0.0.0.0/0 md5
Upon restart/start of the server, it spits this out:
Jul 03 18:07:51 server1.project33.ca postmaster[2321]: 2022-07-03 18:07:51.206 EDT [2321] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
Jul 03 18:07:51 server1.project33.ca postmaster[2321]: 2022-07-03 18:07:51.213 EDT [2321] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432"
Those directives are the same in the server settings:
unix_socket_directories | /var/run/postgresql, /tmp | Sets the directories where Unix-domain sockets will be created.
unix_socket_group | | Sets the owning group of the Unix-domain socket.
unix_socket_permissions | 0777 | Sets the access permissions of the Unix-domain socket.
tcp_keepalives_count | 0 | Maximum number of TCP keepalive retransmits.
tcp_keepalives_idle | 0 | Time between issuing TCP keepalives.
tcp_keepalives_interval | 0 | Time between TCP keepalive retransmits.
tcp_user_timeout | 0 | TCP user timeout.
How I can get this to be visible on the LAN and allow me to connect? Cheers
SOLVED. It was two things:
First, using listen_addresses needs to be expanded from '*' to listen_addresses ='127.0.0.1, ::1, localhost, 192.168.1.55', as the TCP socket doesn't show up using '*'.
Jul 03 22:58:58 server_n.project33.ca postmaster[2534]: 2022-07-03 22:58:58.720 EDT [2534] LOG: listening on IPv4 address "192.168.1.23", port 5432
Jul 03 22:58:58 server_n.project33.ca postmaster[2534]: 2022-07-03 22:58:58.720 EDT [2534] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
Jul 03 22:58:58 server_n.project33.ca postmaster[2534]: 2022-07-03 22:58:58.728 EDT [2534] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432"
Second, the AlmaLinux 9 firewall needs a specific hole poked in it for this service to be visible in the public zone:
$ sudo firewall-cmd --zone=public --permanent --add-service=postgresql
$ sudo firewall-cmd --zone=public --permanent --add-port 5432/tcp
$ sudo firewall-cmd --reload
$ sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s25
sources:
services: cockpit dhcpv6-client postgresql ssh
ports: 5432/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Restart postgresql and we are gold. It shows up in nmap from my workstation, and is visible to log into psql.
Related
My setup is:
Debian, Docker
Host machine running Protonmail Bridge as a service
Docker container running Discourse with their default recommended setup
Issue: From the Docker container, I cannot connect to the SMTP server exposed by the Protonmail Bridge on the host machine.
I checked open ports on the host machine, all good:
ss -plnt
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 4096 127.0.0.1:1025 0.0.0.0:* users:(("proton-bridge",pid=953,fd=12))
How I test
Host machine:
openssl s_client -connect 127.0.01:1025 -starttls smtp
Works.
Docker container:
openssl s_client -connect 172.17.0.1:1025 -starttls smtp
Connection refused.
I’m wondering if the Protonmail Bridge service that’s listening on 127.0.0.1:1025 is not accepting connections from the Docker container because they are not coming from 127.0.0.1 exactly? If this is the problem, how to validate and fix? If this is not the problem, what am I doing wrong?
Other tests
nmap 127.0.0.1 on the host machine outputs:
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000010s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
22/tcp open ssh
1025/tcp open NFS-or-IIS
1042/tcp open afrog
Note that it lists the open port 1025.
nmap 172.17.0.1 in the docker container does not output any 1025 port. I'm not sure if this is the problem either.
Output of route in the Docker container:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 172.17.0.1 0.0.0.0 UG 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
This may be impossible currently, but should be solved by this pull request.
If you're comfortable compiling the proton-bridge package from source, you only have to change 1 line in the internal/bridge/constants.go file to say
Host = '127.0.0.1'
To
Host = '0.0.0.0'
Then recompile with make build-nogui (to build the "headless" version).
And you should be good to go!
My VSCode in WSL:Ubuntu is unable to listen to the xdebug port, because it is blocked by some docker-proxy.
I was following this Solution, but trying VSCode to listen to the xdebug port, results in the following error:
Error: listen EADDRINUSE: address already in use :::9003
Can anyone help with connecting VSCode to xdebug?
Windows 11 says the port is already allocated by wslhost:
PS C:\WINDOWS\system32> Get-Process -Id (Get-NetTCPConnection -LocalPort 9003).OwningProcess
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
285 47 2288 4748 0,05 19480 1 wslhost
Ubuntu tells, its allocated by some docker-proxy:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9003 0.0.0.0:* LISTEN 17210/docker-proxy
tcp6 0 0 :::9003 :::* LISTEN 17217/docker-proxy
docker-compose-version: docker-compose version 1.25.0
The xdebug.log says:
[Step Debug] INFO: Connecting to configured address/port: host.docker.internal:9003.
[Step Debug] ERR: Time-out connecting to debugging client, waited: 200 ms. Tried: host.docker.internal:9003 (through xdebug.client_host/xdebug.client_port) :-(
For sure as long as nothing is listening.
As to xdebug.client_host I'v tried:
host.docker.internal
xdebug://gateway and xdebug://nameserver refering to this: https://docs.google.com/document/d/1W-NzNtExf5C4eOu3rRQm1WlWnbW44u3ANDDA49d3FD4/edit?pli=1
setting the env-variable with docker-compose.yml: XDEBUG_CONFIG="client_host=..."
Removing the Expose directive from Dockerfile/docker-compose as in this comment doesn't remove the error neither.
Solved it. For others with this challenge:
Inside of wsl-ubuntu -> docker-containter host.docker.internal directs to the wrong ip.
In the wsl-distribution the file /etc/resolv.conf is the ip of the windows host.
To get the correct ip use this answer: How to get the primary IP address of the local machine on Linux and OS X?
My solution is to define an env-variable with this ip:
alias docker_compose_local_ip="ifconfig eth0 | sed -En 's/127.0.0.1//;s/.*inet (addr:)?(([0-9]*\.){3}[0-9]*).*/\2/p'"
export DOCKER_COMPOSE_LOCAL_IP=$(docker_compose_local_ip)
and configure the container with it:
services:
service-name:
environment:
- XDEBUG_CONFIG=client_host=${DOCKER_COMPOSE_LOCAL_IP} ...
I'm on CentOS 7.9 and I need to get dockers to work with a firewalld configured.
However, the port is always filtered when firewalld is started... Unless I tried to connect to it over localhost.
On this machine (myhost), I have a running container listening on port 55123 :
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
6878f1d6152d registry.example.com/my-image:22.1.1 "/entrypoint.sh" 2 weeks ago Up 10 minutes 0.0.0.0:55123->55123/tcp myhost_myservice
# netstat -lntp |grep docker-proxy
tcp 0 0 0.0.0.0:55123 0.0.0.0:* LISTEN 27091/docker-proxy
I did add the port to firewalld :
# firewall-cmd --zone=public --add-port=55123/tcp --permanent
# firewall-cmd --reload
I have a zone docker and a zone public, and I added my interfaces to the public zone to be sure :
# firewall-cmd --get-active-zones
docker
interfaces: br-e7b57dXXXXXX docker0
public
interfaces: ens192 ens224 ens256
I tried a restart of firewalld and then docker service but still getting filtered :
# nmap myhost -Pn -p 55123
Nmap scan report for myhost (XXX.XXX.XXX.23)
Host is up.
PORT STATE SERVICE
55123/tcp filtered unknown
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
but all good on localhost :
# nmap localhost -Pn -p 55123
Nmap scan report for myhost (XXX.XXX.XXX.23)
Host is up.
PORT STATE SERVICE
55123/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
I have enabled docker metrics on port 9323 directly on the host (myhost), and this port is well opened
# nmap myhost -Pn -p 9323
Nmap scan report for myhost (XXX.XXX.XXX.23)
Host is up.
PORT STATE SERVICE
9323/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
If I stop firewalld, I immediatly get :
# nmap myhost -Pn -p 55123
Nmap scan report for myhost (XXX.XXX.XXX.23)
Host is up.
PORT STATE SERVICE
55123/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
My Firewalld configuration :
# firewall-cmd --zone=docker --list-all
docker (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: br-e7b57dXXXXXX docker0
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192 ens224 ens256
sources:
services: dhcpv6-client ssh
ports: 9323/tcp 55123/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
I'm a bit lost of why it isn't working.
There is one thing bit weird, we have a network with non-standard private network. Our network is on something like 110.2.0.0/16.
I have installed a fresh Centos 7 box on virtualbox running in a bridged network adapter. I have installed ruby on rails and setup a simple app. I started the server on port 3000, but when I try to reach it from my host machine hitting the IP I get no response.
On the server I can do a
wget "http://127.0.0.1:3000"
and I get the right index.html file. So I figured my port was getting blocked.
So I installed firewalld and issued the following commands
sudo firewall-cmd --zone=public --add-port=3000/tcp --permanent
sudo firewall-cmd --reload
firewall-cmd --list-all
The list all shows the following ;
public (default, active)
interfaces: enp0s3
sources:
services: dhcpv6-client ssh
ports: 3000/tcp 80/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
However when I run nmap I see it's closed
sudo nmap -p 3000 127.0.0.1
Starting Nmap 6.40 ( http://nmap.org ) at 2016-11-26 01:47 EST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000071s latency).
PORT STATE SERVICE
3000/tcp closed ppp
Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds
From my host machine I can ping the machine but when I nmap to port 3000 it says the host is unreachable.
I don't know how to go any further. Any thoughts?
On a mac system, I start the register following the deploy document:
docker run -d -p 5000:5000 --restart=always --name registry registry:2
And its ip is "IPAddress": "172.17.0.2", which is from the command docker inspect <cid>
But I can't telnet its port:
$ telnet 172.17.0.2 5000
Trying 172.17.0.2...
telnet: connect to address 172.17.0.2: Can't assign requested address
telnet: Unable to connect to remote host
Or
$ curl http://172.17.0.2:5000
curl: (7) Couldn't connect to server
I ssh to the container to check it:
$ docker exec -it cda bash
root#cda4c64efd06:/# netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp6 0 0 :::5000 :::* LISTEN
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
root#cda4c64efd06:/# curl -I http://localhost:5000
HTTP/1.1 200 OK
Cache-Control: no-cache
Date: Fri, 11 Dec 2015 07:34:17 GMT
Content-Type: text/plain; charset=utf-8
root#cda4c64efd06:/#
Seems like it's binding tcp6 not normally tcp.
Where is wrong?
If you are using docker-machine, see "Port forwarding in docker-machine?"
either port forward the 5000 port on the VirtualBox level (meaning localhost:5000 will work)
VBoxManage controlvm "boot2docker-vm" natpf1 "tcp-port5000,tcp,,5000,,5000";
or use the ip returned by $(docker-machine ip <yourMachine>)