I have been unable to install Ruby on Rails gems on my computer. Here is what I typed and the responses I received.
C:\Users\029607\Documents\NDAC Tech Studies\TES3>gem install bundler --source "http://rubygems.org"
This is the response:
Successfully installed bundler-1.5.3
WARNING: Unable to pull data from 'https://rubygems.org/': SSL_connect SYSCALL
returned=5 errno=0 state=SSLv2/v3 read server hello A (https://api.rubygems.org/
latest_specs.4.8.gz)
1 gem installed
C:\Users\029607\Documents\NDAC Tech Studies\TES3>bundle install
Fetching source index from https://rubygems.org/
Retrying source fetch due to error (2/3): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Retrying source fetch due to error (3/3): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Could not fetch specs from https://rubygems.org/
This seems to be an issue with Ruby and your TLS handshake. Try defining a certificate here.
Here are other possible solutions.
You need to get more information: bundle install --verbose
I was getting the same error and when I did bundle install verbose it became clearer. In my case ..
Gem::RemoteFetcher::FetchError: Errno::ETIMEDOUT: Connection timed out
- connect(2) for "s3.amazonaws.com" port 443 (https://rubygems.org/specs.4.8.gz)
It indicated that there was firewall issues (you need to allow firewall access to rubygems.org and s3.amazonaws.com on port 443).
I was doing nslookup rubygems.org getting the ip address and using it in whois ip address and using the CIDR addresses (54.240.0.0/12 etc) to allow access to the ruby gems through the firewall. My Iptables for Rubygems looked like this along with permitting established traffic. (You could equally have a policy of permit on outbound traffic and you wouldn't need complicated firewall tables ;-) )
-A service -d 54.240.0.0/12 -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A service -d 205.251.192.0/18 -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A service -d 54.216.0.0/14 -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A service -d 54.220.0.0/15 -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT
-A service -d 54.208.0.0/13 -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT
Rich
Related
I am trying to add a rule which looks like:
Chain DOCKER (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.18.0.8 tcp dpt:21102
I am using the following command:
sudo iptables -A DOCKER -t tcp -s anywhere -d 172.18.0.8 --dport 21102 -j ACCEPT
However, I am getting the following error:
table 'tcp' does not exist
Perhaps iptables or your kernel needs to be upgraded.
Can someone please guide me where am I going wrong ?
-t : Specifies the packet matching table such as nat, filter, raw.etc
-p : Sets the IP protocol for the rule, which can be either icmp, tcp, udp, or all.
So the command should be:
sudo iptables -A DOCKER -p tcp -s {source_ip} -d 172.18.0.8 --dport 21102 -j ACCEPT
After installing Spree Commerce and running these commands, I am unable to access my domain http://example.com:4000/ or http://example.com:4000/admin. When I run:
curl example.com:4000 I got: curl: (7) Failed to connect to example.com port 4000 after 27 ms: Connection refused.
What is the reason I cannot access Spree Commerce on port 4:000 after fresh install and how can I correct this?
There is no point for accessing - http://example.com:4000. As per the spree documentation, you should use http://localhost:4000 for accessing the spree application.
For Backend
For APIs
Hope this helps.
Firewall could be the principal problem. Have you tried checking opened ports?
List the current Iptables rules
sudo iptables -L
Add an Iptable rule (for example to open a Mysql port 3306)
sudo iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
Remove an Iptable rule
sudo iptables -D INPUT -p tcp --dport xxxx -j ACCEPT
I can't get logspout to connect to papertrail. I get the following error:
!! lookup logs5.papertrailapp.com on 127.0.0.11:53: read udp 127.0.0.1:46185->127.0.0.11:53: i/o timeout
where 46185 changes every time I run the container. It seems like a DNS error, but nslookup logs5.papertrailapp.com gives the expected output, as does docker run busybox nslookup logs5.papertrailapp.com.
Beyond that, I don't even know how to interpret that error message, let alone address it. Any help debugging this would be hugely appreciated.
My Docker Compose file:
version: '2'
services:
logspout:
image: gliderlabs/logspout
command: "syslog://logs5.papertrailapp.com:12345"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
sleep:
image: benwhitehead/env-loop
Where 12345 is the actual papertrail port. Result is the same whether using syslog:// or syslog-tls://.
From https://docs.docker.com/engine/userguide/networking/configure-dns/:
the docker daemon implements an embedded DNS server which provides built-in service discovery for any container
It looks like your container is unable to connect to this DNS server. If your container is on the default bridge network, it won't reach the embedded DNS server. You can either set --dns to be an outside source or update /etc/resolv.conf. It doesn't sound like a Papertrail issue, at all.
(source)
Docker and iptables got in a fight. So I spun up a new machine, failed to set up iptables, and the problem was solved: no firewall at all to get in the way of Docker's connections!
Just kidding, don't do that. I got a toy database hacked that way.
Fortunately, it's now relatively easy to get iptables and Docker to live in harmony, using the DOCKER_USER iptables chain.
The solution, excerpted from my blog:
Configure Docker with iptables=true, and append to iptables configuration:
iptables -A DOCKER-USER -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A DOCKER-USER -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A DOCKER-USER -i eth0 -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A DOCKER-USER -i eth0 -j DROP
I want to block access to the default docker.io registry. For security/IP protection, we need to block push/pull access to/from the public Docker hub.
There have been many attempts to make this a configuration option, but all PRs just keep getting rejected. Red Hat has implemented both '--block-registry' and '--add-registry', which are exactly what I need, but it only works with Red Hat's fork of docker v1.10, and I want to use docker v1.12+
I'm using RHEL/Centos 7
DNS spoofing doesn't seem to work via the following in /etc/hosts (anymore):
127.0.0.1 index.docker.io registry.docker.io registry-1.docker.io docker.io
And I can't seem to get the firewall to block access either with the following rules (where the IPs are currently those from the above hosts listed in /etc/hosts):
# firewall-cmd --direct --get-rules ipv4 filter OUTPUT
0 -p tcp -m tcp --dport 5000 -j REJECT
0 -p tcp -m tcp --dport 443 -j REJECT
0 -p tcp -m tcp -d 52.207.178.113 -j DROP
0 -p tcp -m tcp -d 52.73.159.23 -j DROP
0 -p tcp -m tcp -d 54.85.12.131 -j DROP
0 -p tcp -m tcp -d 52.6.119.223 -j DROP
0 -p tcp -m tcp -d 52.0.53.94 -j DROP
0 -p tcp -m tcp -d 34.192.123.224 -j DROP
0 -m state --state ESTABLISHED,RELATED -j ACCEPT
1 -p tcp -m tcp --dport 80 -j ACCEPT
1 -p tcp -m tcp --dport 53 -j ACCEPT
1 -p udp --dport 53 -j ACCEPT
1 -p tcp -m tcp --dport 2376 -j ACCEPT
2 -j REJECT
or
# firewall-cmd --direct --get-rules ipv4 filter FORWARD
0 -p tcp -m tcp --dport 5000 -j REJECT
0 -p tcp -m tcp --dport 443 -j REJECT
0 -p tcp -m tcp -d 52.207.178.113 -j DROP
0 -p tcp -m tcp -d 52.73.159.23 -j DROP
0 -p tcp -m tcp -d 54.85.12.131 -j DROP
0 -p tcp -m tcp -d 52.6.119.223 -j DROP
0 -p tcp -m tcp -d 52.0.53.94 -j DROP
0 -p tcp -m tcp -d 34.192.123.224 -j DROP
With all these in place, I can still search/pull from docker.io.
One of the PRs to resolve this got closed by a maintainer who said it looks like something that should be addressed by the firewall. Can someone please tell me how this can actually be done?
Adding this to /etc/hosts on Ubuntu worked for me:
0.0.0.0 index.docker.io auth.docker.io registry-1.docker.io dseasb33srnrn.cloudfront.net production.cloudflare.docker.com
I got the list of domains from here: https://support.sonatype.com/hc/en-us/articles/115015442847-Whitelisting-Docker-Hub-Hosts-for-Firewalls-and-HTTP-Proxy-Servers
On redhat/centos add
--block-registry docker.io
to wherever you start your docker engine from ( likely /etc/sysconfig/docker on redhat, or possibly /lib/systemd/system/docker.service )
don't forget to refresh systemd if you edited the service file ( systemctl daemon-reload ) and to restart the docker engine ( systemctl restart docker.service ) in either case
now if you do a ps auxwwf | grep docker the docker engine --block-register flag should appear in the process listing.
I came here because this does not work on debian/ubuntu, and am looking for a way to do this on debian. = / HTH
I'm tried to start minecraft server on not custom port (25565 for example) with command:
java -jar craftbukkit.jar
but had an exception java.net.BindException:
Loading libraries, please wait...
[12:24:27 INFO]: Starting minecraft server version 1.7.2
[12:24:27 WARN]: To start the server with more ram, launch it as "java -Xmx1024M -Xms1024M -jar minecraft_server.jar"
[12:24:27 INFO]: Loading properties
[12:24:27 INFO]: Default game type: SURVIVAL
[12:24:27 INFO]: Generating keypair
[12:24:28 INFO]: Starting Minecraft server on 52.25.177.236:25565
[12:24:28 WARN]: **** FAILED TO BIND TO PORT!
[12:24:28 WARN]: The exception was: java.net.BindException: Cannot assign requested address
[12:24:28 WARN]: Perhaps a server is already running on that port?
After that I tried to stop all processes on this port with command:
fuser -k 25565/tcp
fuser -k 25565/tcp
but it didn't help too.
After that I tried to enable this port in iptables with commands:
iptables -A INPUT -p tcp --dport 25565 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25565 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 25565 -j ACCEPT
but it didn't help too.
Then I seen ifconfig and noticed that indet addr because it is not public ip, with whitch I work through ssh, it is hidden ip of internal network in amazon.
eth0
Link encap:Ethernet HWaddr 02:89:4f:57:67:9d
inet addr:172.31.29.204 Bcast:172.31.31.255 Mask:255.255.240.0
This ip I can set when I create new hosting in amazon. But I can't choose public ip when I do it.
Can someone exlain what is this hidden ip address and can be trouble with I start minecraft server on public ip but eth0 interface show me only hidden internal?
Thank you :)
It could be that someone on the same machine is using port 25565. I would recommend contacting amazon and resolving it with them