为了使本地IP上的CentOS 7安装192.168.1.6
可以telnet
更改为另一个本地IP上的另一个CentOS 7安装,需要进行哪些具体更改192.168.1.5
?
如您所见,可以192.168.1.6
ping192.168.1.5
如下:
[root@localhost /]# ping 192.168.1.5
PING 192.168.1.5 (192.168.1.5) 56(84) bytes of data.
64 bytes from 192.168.1.5: icmp_seq=1 ttl=64 time=0.515 ms
64 bytes from 192.168.1.5: icmp_seq=2 ttl=64 time=0.565 ms
^C
--- 192.168.1.5 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.515/0.540/0.565/0.025 ms
但是telnet
FROM 192.168.1.6
TO192.168.1.5
失败如下:
[root@localhost /]# telnet 192.168.1.5
Trying 192.168.1.5...
telnet: connect to address 192.168.1.5: No route to host
而telnet
从192.168.1.6
TOport 5432
时192.168.1.5
也如下失败:
[root@localhost /]# telnet 192.168.1.5:5432
telnet: 192.168.1.5:5432: Name or service not known
192.168.1.5:5432: Unknown host
[root@localhost /]#
PostgreSQL正在运行192.168.1.5
,并且应该正在接收telnet 192.168.1.5:5432
。因此,pg_hba.conf
在运行以上命令之前,我将以下行添加到了行中:
host all all 192.168.1.6/24 trust
在运行上述命令ping
并telnet
键入之前,我重新启动了PostgreSQL systemctl restart postgresql
。
同样,在运行上述命令ping
和telnet
命令之前,我还针对以下防火墙规则创建了192.168.1.5
:
[root@localhost ~]# firewall-cmd --zone=public --add-port=5432/tcp
[root@localhost ~]# firewall-cmd --permanent --zone=trusted --add-source=192.168.1.6/32
[root@localhost ~]# firewall-cmd --reload
另外,我确认PostgreSQL正在运行,port 5432
并在的终端中键入以下命令192.168.1.5
:
[root@localhost ~]# ss -l -n | grep 5432
u_str LISTEN 0 128 /var/run/postgresql/.s.PGSQL.5432 71466 * 0
u_str LISTEN 0 128 /tmp/.s.PGSQL.5432 71468 * 0
tcp LISTEN 0 128 127.0.0.1:5432 *:*
tcp LISTEN 0 128 ::1:5432 :::*
[root@localhost ~]#
根据@roaima的建议,我尝试了以下操作,但仍然无法连接:
我从192.168.1.6发送:
[root@localhost ~]# telnet 192.168.1.5 5432
Trying 192.168.1.5...
telnet: connect to address 192.168.1.5: No route to host
在192.168.1.5上,请求tcpdump
的接收端telnet
是:
[root@localhost ~]# tcpdump -i eth0 port 5432 or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:52:49.309526 IP 192.168.1.6.53328 > localhost.localdomain.postgres: Flags [S], seq 3210933916, win 29200, options [mss 1460,sackOK,TS val 629624820 ecr 0,nop,wscale 7], length 0
16:52:54.312716 ARP, Request who-has localhost.localdomain tell 192.168.1.6, length 28
16:52:54.312750 ARP, Reply localhost.localdomain is-at 52:54:00:ef:35:18 (oui Unknown), length 28
^C
3 packets captured
4 packets received by filter
0 packets dropped by kernel
同样,从192.168.1.6我仅将以下telnet发送到IP级别:
[root@localhost ~]# telnet 192.168.1.5
Trying 192.168.1.5...
telnet: connect to address 192.168.1.5: No route to host
[root@localhost ~]#
在192.168.1.5上,请求tcpdump
的接收端telnet
是:
[root@localhost ~]# tcpdump -i eth0 port 5432 or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
//THESE 2 LINES PRINTED BEFORE 2ND TELNET WAS RUN: 16:58:11.619638 ARP, Request who-has gateway tell localhost.localdomain, length 28
//THESE 2 LINES PRINTED BEFORE 2ND TELNET WAS RUN: 16:58:11.619940 ARP, Reply gateway is-at b8:ec:a3:11:74:6e (oui Unknown), length 46
16:58:35.555570 ARP, Request who-has 192.168.1.6 tell localhost.localdomain, length 28
16:58:35.555753 ARP, Reply 192.168.1.6 is-at 52:54:00:ab:31:40 (oui Unknown), length 28
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#
在上192.168.1.5
,我在一次Putty会话中输入了以下内容:
[root@localhost ~]# telnet localhost 5432
Trying ::1...
Connected to localhost.
Escape character is '^]'.
同时,在的另一项Putty会话中192.168.1.5
,我没有看到的结果tcpdump
,如下所示:
[root@localhost ~]# tcpdump -i eth0 port 5432 or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#
根据@JeffSchaller的建议,我在上运行了以下命令192.168.1.6
。请注意,这是CentOS 7,已替换netstat
为ss
,并且已替换iptables
为firewalld
:
ss -rn
产生了90行输出。您能否建议一个有意义的grep
过滤器或其他过滤器,以将输出减少到允许添加到过帐的金额?
[root@localhost ~]# iptables -Ln
iptables: No chain/target/match by that name.
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports: 8080/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
[root@localhost ~]#
我还在以下命令上运行了以下命令192.168.1.6
:
[root@localhost ~]# ip route
default via 192.168.1.1 dev eth0 proto static metric 100
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.6 metric 100
[root@localhost ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:ab:31:40 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.6/24 brd 192.168.1.255 scope global dynamic eth0
valid_lft 133013sec preferred_lft 133013sec
inet6 fe80::5054:ff:feab:3140/64 scope link
valid_lft forever preferred_lft forever
[root@localhost ~]#
作为一个极端的测试,我删除了两个防火墙192.168.1.5
,并192.168.1.6
通过打字yum remove firewalld
和yum remove iptables
在两台机器上。然后,我验证了这两个删除操作,如下所示:
开启192.168.1.5
:
[root@localhost ~]# systemctl status firewalld
Unit firewalld.service could not be found.
[root@localhost ~]# iptables -L -n
-bash: /sbin/iptables: No such file or directory
开启192.168.1.6
:
[root@localhost ~]# systemctl status firewalld
Unit firewalld.service could not be found.
[root@localhost ~]# iptables -L -n
-bash: /sbin/iptables: No such file or directory
接下来,我输入tcpdump -i eth0 port 5432 or arp
上192.168.1.5
,接着打字telnet 192.168.1.5 5432
上192.168.1.6
。
telnet的结果是以下拒绝消息印在192.168.1.6
:
[root@localhost ~]# telnet 192.168.1.5 5432
Trying 192.168.1.5...
telnet: connect to address 192.168.1.5: Connection refused
[root@localhost ~]#
同时,来自的呼叫的tcpdump
打印输出为:192.168.1.5
telnet
1.6
[root@localhost ~]# tcpdump -i eth0 port 5432 or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:25:11.349238 ARP, Request who-has localhost.localdomain tell gateway, length 46
10:25:11.349261 ARP, Reply localhost.localdomain is-at 52:54:00:ef:35:18 (oui Unknown), length 28
10:25:14.391222 IP 192.168.1.6.53344 > localhost.localdomain.postgres: Flags [S], seq 3043089625, win 29200, options [mss 1460,sackOK,TS val 692769902 ecr 0,nop,wscale 7], length 0
10:25:14.391265 IP localhost.localdomain.postgres > 192.168.1.6.53344: Flags [R.], seq 0, ack 3043089626, win 0, length 0
10:25:19.395578 ARP, Request who-has 192.168.1.6 tell localhost.localdomain, length 28
10:25:19.396039 ARP, Reply 192.168.1.6 is-at 52:54:00:ab:31:40 (oui Unknown), length 28
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#
为了确定PostgreSQL是否正在监听port 5432
,我在下面输入了以下两个命令192.168.1.5
:
请注意,在运行以下命令时,firewalld
和iptables
都仍被删除:
首先,我查看了pg_hba.conf
文件,192.168.1.5
发现有一个值得信赖的规则192.168.1.6
:
[root@localhost ~]# vi /var/lib/pgsql/data/pg_hba.conf
# LOTS OF # COMMENTED LINES OMITTED HERE FOR BREVITY
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
host all all 192.168.1.6/24 trust
# IPv6 local connections:
host all all ::1/128 trust
接下来,我键入以下netstat
命令192.168.1.5
以查看是否存在以下规则port 5432
:
[root@localhost ~]# netstat -anpt | grep LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 943/sshd
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 25166/postgres
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1483/master
tcp6 0 0 127.0.0.1:45228 :::* LISTEN 19089/java
tcp6 0 0 127.0.0.1:8020 :::* LISTEN 14338/java
tcp6 0 0 :::7990 :::* LISTEN 19089/java
tcp6 0 0 :::22 :::* LISTEN 943/sshd
tcp6 0 0 ::1:5432 :::* LISTEN 25166/postgres
tcp6 0 0 127.0.0.1:7992 :::* LISTEN 19066/java
tcp6 0 0 ::1:7992 :::* LISTEN 19066/java
tcp6 0 0 ::1:25 :::* LISTEN 1483/master
tcp6 0 0 127.0.0.1:36122 :::* LISTEN 19089/java
tcp6 0 0 :::8095 :::* LISTEN 14338/java
tcp6 0 0 :::5701 :::* LISTEN 19089/java
[root@localhost ~]#
第一个问题是该telnet
命令使用了错误的语法。运行man telnet
将向您显示语法是这样的:
telnet <host> [<port>]
因此,在您的情况下,应运行以下命令:
telnet 192.168.1.5 5432
第二个问题是您在每台主机上都有一条防火墙规则,以防止到5432 / tcp的出站流量。(可能还有其他端口。)错误消息“没有通往主机的路由”是由具有iptables --j REJECT
的OUTPUT
链中的规则生成的--reject-with icmp-host-prohibited
。这是创建这样的规则的示例:
iptables -I OUTPUT -p tcp --dport 5432 -j REJECT --reject-with icmp-host-prohibited
这满足了路由明确存在的情况,因为ping
成功了,但是telnet
会话失败了。您自己可以使用命令进行检查iptables --line-numbers -nvL
(不是iptables -Ln
,该命令将尝试列出链的规则n
)。
确认可以真正建立流量的两个临时修复方法是
在两个系统上都运行这两个命令(您可以稍后将其替换-I
为来删除它们-D
)
iptables -I INPUT -p tcp --src 192.168.1.5/30 -j ACCEPT
iptables -I OUTPUT -p tcp --dst 192.168.1.5/30 -j ACCEPT
我(目前)还不太熟悉CentOS 7防火墙工具,无法为您提供完整的解决方案。我可以进行挖掘,或者也许其他人可能希望编辑此答案以提供该信息。
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句