我打开了运行 Clickhouse 服务器的 8443 端口。我可以通过 22 端口连接到 SSH,也可以通过 SSH 隧道连接到 8443,但是我无法正常连接到该主机。我正在尝试从 Windows 计算机进行连接(如果这有关系的话)。我甚至打开了出站端口(很确定它是多余的)。
我尝试禁用防火墙,然后就可以连接了。这是什么问题?
user@myhost:~/d/clickhouse$ sudo ufw status
To Action From
-- ------ ----
22/tcp ALLOW Anywhere
9440/tcp ALLOW Anywhere
8443/tcp ALLOW Anywhere
8443 ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
9440/tcp (v6) ALLOW Anywhere (v6)
8443 (v6) ALLOW Anywhere (v6)
8443/tcp (v6) ALLOW Anywhere (v6)
user@myhost:~/d/clickhouse$ sudo lsof -iTCP -sTCP:LISTEN -P
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd-r 841 systemd-resolve 13u IPv4 26021 0t0 TCP localhost:53 (LISTEN)
vsftpd 901 root 3u IPv6 26299 0t0 TCP *:21 (LISTEN)
sshd 1037 root 3u IPv4 29181 0t0 TCP *:22 (LISTEN)
sshd 1037 root 4u IPv6 29183 0t0 TCP *:22 (LISTEN)
docker-pr 86081 root 4u IPv6 520074 0t0 TCP *:8088 (LISTEN)
docker-pr 287023 root 4u IPv6 1831110 0t0 TCP *:8086 (LISTEN)
docker-pr 318522 root 4u IPv6 2109586 0t0 TCP *:9440 (LISTEN)
docker-pr 318537 root 4u IPv6 2110806 0t0 TCP *:8443 (LISTEN)
node 354955 user 18u IPv4 2274703 0t0 TCP localhost:34575 (LISTEN)
user@myhost:~/d/clickhouse$ netstat -an | grep "LISTEN "
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:34575 0.0.0.0:* LISTEN
tcp6 0 0 :::21 :::* LISTEN
tcp6 0 0 :::8086 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::8088 :::* LISTEN
tcp6 0 0 :::8443 :::* LISTEN
tcp6 0 0 :::9440 :::* LISTEN
更新:
我在服务器上运行sudo tcpdump -ni eth0 port 8443,然后在客户端机器上运行nc -zv 192.168.1.58 8443:
user@myhost:~$ sudo tcpdump -ni eth0 port 8443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
15:05:51.368952 IP 192.168.1.70.59364 > 192.168.1.58.8443: Flags [S], seq 2263747478, win 64240, options [mss 1460,sackOK,TS val 1434934937 ecr 0,nop,wscale 7], length 0
15:05:52.380268 IP 192.168.1.70.59364 > 192.168.1.58.8443: Flags [S], seq 2263747478, win 64240, options [mss 1460,sackOK,TS val 1434935948 ecr 0,nop,wscale 7], length 0
15:05:54.460280 IP 192.168.1.70.59364 > 192.168.1.58.8443: Flags [S], seq 2263747478, win 64240, options [mss 1460,sackOK,TS val 1434938028 ecr 0,nop,wscale 7], length 0
15:05:58.540705 IP 192.168.1.70.59364 > 192.168.1.58.8443: Flags [S], seq 2263747478, win 64240, options [mss 1460,sackOK,TS val 1434942109 ecr 0,nop,wscale 7], length 0
15:06:06.940802 IP 192.168.1.70.59364 > 192.168.1.58.8443: Flags [S], seq 2263747478, win 64240, options [mss 1460,sackOK,TS val 1434950509 ecr 0,nop,wscale 7], length 0
15:06:23.581056 IP 192.168.1.70.59364 > 192.168.1.58.8443: Flags [S], seq 2263747478, win 64240, options [mss 1460,sackOK,TS val 1434967149 ecr 0,nop,wscale 7], length 0
15:06:56.221198 IP 192.168.1.70.59364 > 192.168.1.58.8443: Flags [S], seq 2263747478, win 64240, options [mss 1460,sackOK,TS val 1434999788 ecr 0,nop,wscale 7], length 0
并nc显示失败消息nc: connect to 192.168.1.58 port 8443 (tcp) failed: Connection timed out
输出sudo ufw status verbose
user@myhost:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
9440/tcp ALLOW IN Anywhere
8443/tcp ALLOW IN Anywhere
8443 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
9440/tcp (v6) ALLOW IN Anywhere (v6)
8443 (v6) ALLOW IN Anywhere (v6)
8443/tcp (v6) ALLOW IN Anywhere (v6)
如果防火墙被禁用,我可以连接到服务:
nc -zv 192.168.1.58 8443
Connection to 192.168.1.58 8443 port [tcp/*] succeeded!
如果防火墙被禁用,我可以使用 IPv4 地址连接到服务:
答案1
最后我通过运行以下命令解决了这个问题:sudo ufw route allow proto tcp from any to any port 8443