假设有两台连接到无线路由器(Archer C7 v2)的计算机,并且它们是同一LAN的一部分。从计算机B ping通计算机A,但ssh,telnet,netcat失败。为什么?
一个openssh服务器实例已启动,正在侦听端口2200并运行无问题。
$netstat -ntlp | grep LISTEN
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8979 0.0.0.0:* LISTEN -
tcp 0 0 127.0.1.1:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:2200 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:29754 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:10555 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:1023 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 ::1:53 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
tcp6 0 0 :::2200 :::* LISTEN -
防火墙已禁用:
$sudo ufw status' gives
Status: inactive这是iptables -S请求的输出:
$iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ipsec+ -p 254 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5308 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5900 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5901 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 12080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5656 -j ACCEPT
-A INPUT -p udp -m udp --dport 5004:5005 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5004:5005 -j ACCEPT
-A INPUT -p udp -m udp --dport 20830 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20830 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5060:5062 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5062 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21100 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2001 -j ACCEPT
-A INPUT -p gre -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 9 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1533 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 52311 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30000:30005 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 67:68 -j DROP
-A INPUT -p udp -m udp --dport 67:68 -j DROP
-A INPUT -p tcp -m tcp --dport 137 -j DROP
-A INPUT -p udp -m udp --dport 137 -j DROP
-A INPUT -p tcp -m tcp --dport 138 -j DROP
-A INPUT -p udp -m udp --dport 138 -j DROP
-A INPUT -p tcp -m tcp --dport 139 -j DROP
-A INPUT -p udp -m udp --dport 139 -j DROP
-A INPUT -p tcp -m tcp --dport 1:20 -j DROP
-A INPUT -p tcp -m tcp --dport 111 -j DROP
-A INPUT -p tcp -m tcp --dport 161:162 -j DROP
-A INPUT -p tcp -m tcp --dport 520 -j DROP
-A INPUT -p tcp -m tcp --dport 6348:6349 -j DROP
-A INPUT -p tcp -m tcp --dport 6345:6347 -j DROP
-A INPUT -p tcp -m limit --limit 3/min -j LOG --log-prefix "FIREWALL: " --log-level 7
-A INPUT -p udp -m limit --limit 3/min -j LOG --log-prefix "FIREWALL: " --log-level 7
-A INPUT -j DROP
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN尝试通过ssh连接将导致“操作超时消息”:
$ssh [email protected] -p 2200 -i ~/.ssh/id_rsa -vvv
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /Users/jdoe/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "192.168.0.16" port 2200
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.0.16 [192.168.0.16] port 2200.
debug1: connect to address 192.168.0.16 port 2200: Operation timed out
ssh: connect to host 192.168.0.16 port 2200: Operation timed outnetcat也超时:
$nc -w 1 -v 192.168.0.16 -z 2200
nc: connectx to 192.168.0.16 port 2200 (tcp) failed: Operation timed out但是,ping(这是一个不同的协议)可以工作:
$ping 192.168.0.16
PING 192.168.0.16 (192.168.0.16): 56 data bytes
64 bytes from 192.168.0.16: icmp_seq=0 ttl=64 time=97.027 ms
64 bytes from 192.168.0.16: icmp_seq=1 ttl=64 time=4.329 ms
64 bytes from 192.168.0.16: icmp_seq=2 ttl=64 time=2.402 ms
^C
--- 192.168.0.16 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 2.402/34.586/97.027/44.159 ms我想念什么?我怎么了
您有运行防火墙,因为iptables -S的产量约两个屏幕长。但是,将现有防火墙中的规则配置为sshd在tcp端口22上进行侦听。长话短说,解决此问题的错误方法(但对于测试和学习很有用)只是键入sudo iptables -P INPUT ACCEPT和瞧,您可以使用ssh。
之后,您最好告诉防火墙ssh正在侦听端口2200而不是22,这样您就可以做完了。可能是docker部署了自己的防火墙,因此您可以查看其配置文件,看看是否可以从那里更改sshd端口。
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句