无法远程登录到专用 IP 或端口

2024-5-29 • tag-icon

需要进行哪些具体更改，以便本地 IP 上的 CentOS 7 安装192.168.1.6可以telnet安装到另一个本地 IP 上的另一个 CentOS 7 安装192.168.1.5？

如您所见，192.168.1.6可以 PING192.168.1.5如下：

[root@localhost /]# ping 192.168.1.5
PING 192.168.1.5 (192.168.1.5) 56(84) bytes of data.
64 bytes from 192.168.1.5: icmp_seq=1 ttl=64 time=0.515 ms
64 bytes from 192.168.1.5: icmp_seq=2 ttl=64 time=0.565 ms
^C
--- 192.168.1.5 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.515/0.540/0.565/0.025 ms

但telnetFROM 192.168.1.6TO192.168.1.5失败如下：

[root@localhost /]# telnet 192.168.1.5
Trying 192.168.1.5...
telnet: connect to address 192.168.1.5: No route to host

telnetFROM 192.168.1.6TO port 5432at也192.168.1.5失败，如下所示：

[root@localhost /]# telnet 192.168.1.5:5432
telnet: 192.168.1.5:5432: Name or service not known
192.168.1.5:5432: Unknown host
[root@localhost /]#

PostgreSQL 正在运行192.168.1.5，并且应该正在接收telnet 192.168.1.5:5432。因此，我在pg_hba.conf运行上述代码之前添加了以下行：

host    all    all    192.168.1.6/24    trust

在运行上述命令ping并telnet输入之前，我重新启动了 PostgreSQL systemctl restart postgresql。

同样，在运行上述命令之前ping，telnet我还在上创建了以下防火墙规则192.168.1.5：

[root@localhost ~]# firewall-cmd --zone=public --add-port=5432/tcp
[root@localhost ~]# firewall-cmd --permanent --zone=trusted --add-source=192.168.1.6/32
[root@localhost ~]# firewall-cmd --reload

另外，我确认 PostgreSQL 正在运行，port 5432在终端中输入以下命令192.168.1.5：

[root@localhost ~]# ss -l -n | grep 5432
u_str  LISTEN     0      128    /var/run/postgresql/.s.PGSQL.5432 71466                 * 0
u_str  LISTEN     0      128    /tmp/.s.PGSQL.5432 71468                 * 0
tcp    LISTEN     0      128    127.0.0.1:5432                  *:*
tcp    LISTEN     0      128     ::1:5432                 :::*
[root@localhost ~]#

@roaima的建议：

根据@roaima的建议，我尝试了以下操作，但仍然无法连接：

从 192.168.1.6，我发送了：

[root@localhost ~]# telnet 192.168.1.5 5432
Trying 192.168.1.5...
telnet: connect to address 192.168.1.5: No route to host

而在192.168.1.5上，tcpdump请求接收端的telnet为：

[root@localhost ~]# tcpdump -i eth0 port 5432 or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:52:49.309526 IP 192.168.1.6.53328 > localhost.localdomain.postgres: Flags [S], seq 3210933916, win 29200, options [mss 1460,sackOK,TS val 629624820 ecr 0,nop,wscale 7], length 0
16:52:54.312716 ARP, Request who-has localhost.localdomain tell 192.168.1.6, length 28
16:52:54.312750 ARP, Reply localhost.localdomain is-at 52:54:00:ef:35:18 (oui Unknown), length 28
^C
3 packets captured
4 packets received by filter
0 packets dropped by kernel

同样，从 192.168.1.6 我仅向 IP 级别发送以下 telnet：

[root@localhost ~]# telnet 192.168.1.5
Trying 192.168.1.5...
telnet: connect to address 192.168.1.5: No route to host
[root@localhost ~]#

而在192.168.1.5上，tcpdump请求接收端的telnet为：

[root@localhost ~]# tcpdump -i eth0 port 5432 or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
//THESE 2 LINES PRINTED BEFORE 2ND TELNET WAS RUN: 16:58:11.619638 ARP, Request who-has gateway tell localhost.localdomain, length 28
//THESE 2 LINES PRINTED BEFORE 2ND TELNET WAS RUN: 16:58:11.619940 ARP, Reply gateway is-at b8:ec:a3:11:74:6e (oui Unknown), length 46
16:58:35.555570 ARP, Request who-has 192.168.1.6 tell localhost.localdomain, length 28
16:58:35.555753 ARP, Reply 192.168.1.6 is-at 52:54:00:ab:31:40 (oui Unknown), length 28
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#

@cutrightjm 的建议：

在上192.168.1.5，我在一个 Putty 会话中输入了以下内容：

[root@localhost ~]# telnet localhost 5432
Trying ::1...
Connected to localhost.
Escape character is '^]'.

同时，在的单独 Putty 会话中192.168.1.5，我没有看到的结果tcpdump，如下所示：

[root@localhost ~]# tcpdump -i eth0 port 5432 or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#

@JeffSchaller 的建议：

根据 @JeffSchaller 的建议，我在192.168.1.6.请注意，这是 CentOS 7，它已替换netstat为ss，并且已替换iptables为firewalld：

ss -rn产生了 90 行输出。您能否建议一个有意义的grep或其他过滤器来将输出减少到允许添加到帖子中的数量？

[root@localhost ~]# iptables -Ln
iptables: No chain/target/match by that name.


[root@localhost ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: dhcpv6-client ssh
  ports: 8080/tcp
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules:

[root@localhost ~]#

我还在上运行了以下命令192.168.1.6：

[root@localhost ~]# ip route
default via 192.168.1.1 dev eth0  proto static  metric 100
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.6  metric 100

[root@localhost ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 52:54:00:ab:31:40 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.6/24 brd 192.168.1.255 scope global dynamic eth0
       valid_lft 133013sec preferred_lft 133013sec
    inet6 fe80::5054:ff:feab:3140/64 scope link
       valid_lft forever preferred_lft forever
[root@localhost ~]#

删除两台机器上的防火墙

作为一项极端测试，我通过在两台计算机上键入192.168.1.5和来删除两台计算机上的防火墙。然后我验证了这两个删除，如下所示： 192.168.1.6yum remove firewalldyum remove iptables

在192.168.1.5：

[root@localhost ~]# systemctl status firewalld
Unit firewalld.service could not be found.
[root@localhost ~]# iptables -L -n
-bash: /sbin/iptables: No such file or directory

在192.168.1.6：

[root@localhost ~]# systemctl status firewalld
Unit firewalld.service could not be found.
[root@localhost ~]# iptables -L -n
-bash: /sbin/iptables: No such file or directory

接下来，我输入tcpdump -i eth0 port 5432 or arp，192.168.1.5然后telnet 192.168.1.5 5432输入192.168.1.6。

telnet 的结果是打印在上的以下拒绝消息192.168.1.6：

[root@localhost ~]# telnet 192.168.1.5 5432
Trying 192.168.1.5...
telnet: connect to address 192.168.1.5: Connection refused
[root@localhost ~]#

同时，来自呼叫的tcpdump打印输出是： 192.168.1.5telnet1.6

[root@localhost ~]# tcpdump -i eth0 port 5432 or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:25:11.349238 ARP, Request who-has localhost.localdomain tell gateway, length 46
10:25:11.349261 ARP, Reply localhost.localdomain is-at 52:54:00:ef:35:18 (oui Unknown), length 28
10:25:14.391222 IP 192.168.1.6.53344 > localhost.localdomain.postgres: Flags [S], seq 3043089625, win 29200, options [mss 1460,sackOK,TS val 692769902 ecr 0,nop,wscale 7], length 0
10:25:14.391265 IP localhost.localdomain.postgres > 192.168.1.6.53344: Flags [R.], seq 0, ack 3043089626, win 0, length 0
10:25:19.395578 ARP, Request who-has 192.168.1.6 tell localhost.localdomain, length 28
10:25:19.396039 ARP, Reply 192.168.1.6 is-at 52:54:00:ab:31:40 (oui Unknown), length 28
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#

为了确定 PostgreSQL 是否正在侦听port 5432，我在上输入了以下两个命令192.168.1.5：

注意firewalldiptables运行以下命令时，两者仍然被删除：

首先，我查看了该pg_hba.conf文件，192.168.1.5发现有一条值得信任的规则192.168.1.6：

[root@localhost ~]# vi /var/lib/pgsql/data/pg_hba.conf
# LOTS OF # COMMENTED LINES OMITTED HERE FOR BREVITY
# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     trust
# IPv4 local connections:
host    all             all             127.0.0.1/32            trust
host    all             all             192.168.1.6/24          trust
# IPv6 local connections:
host    all             all             ::1/128                 trust

接下来，我输入以下netstat命令来192.168.1.5查看是否有规则port 5432：

[root@localhost ~]# netstat -anpt | grep LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      943/sshd
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      25166/postgres
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1483/master
tcp6       0      0 127.0.0.1:45228         :::*                    LISTEN      19089/java
tcp6       0      0 127.0.0.1:8020          :::*                    LISTEN      14338/java
tcp6       0      0 :::7990                 :::*                    LISTEN      19089/java
tcp6       0      0 :::22                   :::*                    LISTEN      943/sshd
tcp6       0      0 ::1:5432                :::*                    LISTEN      25166/postgres
tcp6       0      0 127.0.0.1:7992          :::*                    LISTEN      19066/java
tcp6       0      0 ::1:7992                :::*                    LISTEN      19066/java
tcp6       0      0 ::1:25                  :::*                    LISTEN      1483/master
tcp6       0      0 127.0.0.1:36122         :::*                    LISTEN      19089/java
tcp6       0      0 :::8095                 :::*                    LISTEN      14338/java
tcp6       0      0 :::5701                 :::*                    LISTEN      19089/java
[root@localhost ~]#

答案1

第一个问题是您使用了错误的命令语法telnet。运行man telnet会告诉你语法是这样的：

telnet <host> [<port>]

所以在你的情况下，你应该运行这个：

telnet 192.168.1.5 5432

第二个问题是每个主机上都有防火墙规则，以防止出境流量至 5432/tcp。（可能还有其他端口。）错误消息“没有到主机的路由”是iptables --j REJECT由OUTPUT具有--reject-with icmp-host-prohibited.以下是创建此类规则的示例：

iptables -I OUTPUT -p tcp --dport 5432 -j REJECT --reject-with icmp-host-prohibited

这满足了由于成功而路由明显存在ping但会话telnet失败的情况。您自己可以使用命令iptables --line-numbers -nvL（not iptables -Ln，它尝试列出链的规则n）来检查这一点。

确认确实可以建立流量的两个临时修复是

完全禁用两个系统上的防火墙

在两个系统上运行这两个命令（您可以随后通过替换-I为删除它们-D）

iptables -I INPUT -p tcp --src 192.168.1.5/30 -j ACCEPT
iptables -I OUTPUT -p tcp --dst 192.168.1.5/30 -j ACCEPT

我（还）对 CentOS 7 防火墙工具还不够熟悉，无法为您提供完整的解决方案。我可以去挖掘，或者也许其他人可能想编辑这个答案来提供该信息。

答案1

相关内容