X-ROAD refusing connections when trying to access a REST endpoint
Closed this issue · 1 comments
This is my first time using X-ROAD so this may be a just config error
I'm trying to set up an X-ROAD security server to form part of a larger network which I don't manage. I gone through the installation steps that appear in the installation guide, registered a REST endpoint and gave permissions to access it to a registered client. The set up is thus:
- Security server connected to the X-ROAD with a valid anchor file and application certificates.
- Private server in the security server's local network serving an API endpoint on port 60000 with GET and POST methods.
- I'm also using a Wireguard VPN to manage this servers although this shouldn't matter.
When I try to query this test API internally and through the VPN I get the responses from the private server. Problem starts when I try to query through X-ROAD which just returns connection refused.
I've already troubleshooted the firewall in both the security and private servers
(Output of sudo ufw status verbose
)
Security server:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22 ALLOW IN Anywhere
2222 ALLOW IN Anywhere
4000 ALLOW IN Anywhere
5577 ALLOW IN Anywhere
4001 ALLOW IN Anywhere
5500 ALLOW IN Anywhere
8000 ALLOW IN Anywhere
51825/udp ALLOW IN Anywhere
Anywhere on wg0 ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
80/udp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22 (v6) ALLOW IN Anywhere (v6)
2222 (v6) ALLOW IN Anywhere (v6)
4000 (v6) ALLOW IN Anywhere (v6)
5577 (v6) ALLOW IN Anywhere (v6)
4001 (v6) ALLOW IN Anywhere (v6)
5500 (v6) ALLOW IN Anywhere (v6)
8000 (v6) ALLOW IN Anywhere (v6)
51825/udp (v6) ALLOW IN Anywhere (v6)
Anywhere (v6) on wg0 ALLOW IN Anywhere (v6)
Anywhere (v6) on eno1 ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
80/udp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
Private Server:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
3000/tcp ALLOW IN Anywhere
3306 ALLOW IN 172.16.11.82
3306 ALLOW IN Anywhere
3000 ALLOW IN Anywhere
80 ALLOW IN Anywhere
3306 ALLOW IN 0.0.0.0
22/tcp ALLOW IN 170.210.83.114
51821/udp ALLOW IN Anywhere
Anywhere on wg0 ALLOW IN Anywhere
51822/udp ALLOW IN Anywhere
60000/tcp ALLOW IN Anywhere
60000/udp ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
3000/tcp (v6) ALLOW IN Anywhere (v6)
3306 (v6) ALLOW IN Anywhere (v6)
3000 (v6) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
51821/udp (v6) ALLOW IN Anywhere (v6)
Anywhere (v6) on wg0 ALLOW IN Anywhere (v6)
51822/udp (v6) ALLOW IN Anywhere (v6)
60000/tcp (v6) ALLOW IN Anywhere (v6)
60000/udp (v6) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)
(Output of sudo netstat -nlpt
)
Security Server:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 7554/cupsd
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 593/systemd-resolve
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 826/postgres
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 773/sshd: /usr/sbin
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 21498/sshd: dptsvr@
tcp 0 0 0.0.0.0:7070 0.0.0.0:* LISTEN 745/anydesk
tcp6 0 0 127.0.0.1:2552 :::* LISTEN 1124/java
tcp6 0 0 :::5500 :::* LISTEN 1127/java
tcp6 0 0 127.0.0.1:443 :::* LISTEN 1127/java
tcp6 0 0 127.0.0.1:45455 :::* LISTEN 1125/java
tcp6 0 0 :::5577 :::* LISTEN 1127/java
tcp6 0 0 127.0.0.1:80 :::* LISTEN 1127/java
tcp6 0 0 127.0.0.1:2081 :::* LISTEN 1125/java
tcp6 0 0 127.0.0.1:2080 :::* LISTEN 1125/java
tcp6 0 0 127.0.0.1:39713 :::* LISTEN 1126/java
tcp6 0 0 :::4000 :::* LISTEN 1126/java
tcp6 0 0 ::1:6010 :::* LISTEN 21498/sshd: dptsvr@
tcp6 0 0 127.0.0.1:5567 :::* LISTEN 1127/java
tcp6 0 0 127.0.0.1:5566 :::* LISTEN 1127/java
tcp6 0 0 127.0.0.1:5559 :::* LISTEN 1128/java
tcp6 0 0 127.0.0.1:5558 :::* LISTEN 1128/java
tcp6 0 0 :::22 :::* LISTEN 773/sshd: /usr/sbin
tcp6 0 0 ::1:631 :::* LISTEN 7554/cupsd
tcp6 0 0 127.0.0.1:5675 :::* LISTEN 1123/java
Private Server:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:7071 0.0.0.0:* LISTEN 867/anydesk
tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 1673/docker-proxy
tcp 0 0 0.0.0.0:60000 0.0.0.0:* LISTEN 18762/target/debug/
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 12407/cupsd
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 17544/sshd: eureadm
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 699/systemd-resolve
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1120/mysqld
tcp 0 0 0.0.0.0:33060 0.0.0.0:* LISTEN 1120/mysqld
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 903/sshd: /usr/sbin
tcp6 0 0 :::3000 :::* LISTEN 1682/docker-proxy
tcp6 0 0 ::1:6010 :::* LISTEN 17544/sshd: eureadm
tcp6 0 0 ::1:631 :::* LISTEN 12407/cupsd
tcp6 0 0 :::22 :::* LISTEN 903/sshd: /usr/sbin
tcp6 0 0 :::80 :::* LISTEN 962/apache2
When using the iptables log on port 443 for example I get a log entry for the connection but the firewall doesn't register it and the xroad/proxy.log file doesn't update either.
How can I troubleshoot this?
This is a duplicate: nordic-institute/X-Road#1624