需要进行哪些具体更改,以便本地 IP 上的 CentOS 7 安装192.168.1.6
可以telnet
安装到另一个本地 IP 上的另一个 CentOS 7 安装192.168.1.5
?
如您所见,192.168.1.6
可以 PING192.168.1.5
如下:
[root@localhost /]# ping 192.168.1.5
PING 192.168.1.5 (192.168.1.5) 56(84) bytes of data.
64 bytes from 192.168.1.5: icmp_seq=1 ttl=64 time=0.515 ms
64 bytes from 192.168.1.5: icmp_seq=2 ttl=64 time=0.565 ms
^C
--- 192.168.1.5 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.515/0.540/0.565/0.025 ms
但telnet
FROM 192.168.1.6
TO192.168.1.5
失败如下:
[root@localhost /]# telnet 192.168.1.5
Trying 192.168.1.5...
telnet: connect to address 192.168.1.5: No route to host
telnet
FROM 192.168.1.6
TO port 5432
at也192.168.1.5
失败,如下所示:
[root@localhost /]# telnet 192.168.1.5:5432
telnet: 192.168.1.5:5432: Name or service not known
192.168.1.5:5432: Unknown host
[root@localhost /]#
PostgreSQL 正在运行192.168.1.5
,并且应该正在接收telnet 192.168.1.5:5432
。因此,我在pg_hba.conf
运行上述代码之前 添加了以下行:
host all all 192.168.1.6/24 trust
在运行上述命令ping
并telnet
输入之前,我重新启动了 PostgreSQL systemctl restart postgresql
。
同样,在运行上述命令之前ping
,telnet
我还在 上创建了以下防火墙规则192.168.1.5
:
[root@localhost ~]# firewall-cmd --zone=public --add-port=5432/tcp
[root@localhost ~]# firewall-cmd --permanent --zone=trusted --add-source=192.168.1.6/32
[root@localhost ~]# firewall-cmd --reload
另外,我确认 PostgreSQL 正在运行,port 5432
在终端中输入以下命令192.168.1.5
:
[root@localhost ~]# ss -l -n | grep 5432
u_str LISTEN 0 128 /var/run/postgresql/.s.PGSQL.5432 71466 * 0
u_str LISTEN 0 128 /tmp/.s.PGSQL.5432 71468 * 0
tcp LISTEN 0 128 127.0.0.1:5432 *:*
tcp LISTEN 0 128 ::1:5432 :::*
[root@localhost ~]#
@roaima的建议:
根据@roaima的建议,我尝试了以下操作,但仍然无法连接:
从 192.168.1.6,我发送了:
[root@localhost ~]# telnet 192.168.1.5 5432
Trying 192.168.1.5...
telnet: connect to address 192.168.1.5: No route to host
而在192.168.1.5上,tcpdump
请求接收端的telnet
为:
[root@localhost ~]# tcpdump -i eth0 port 5432 or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:52:49.309526 IP 192.168.1.6.53328 > localhost.localdomain.postgres: Flags [S], seq 3210933916, win 29200, options [mss 1460,sackOK,TS val 629624820 ecr 0,nop,wscale 7], length 0
16:52:54.312716 ARP, Request who-has localhost.localdomain tell 192.168.1.6, length 28
16:52:54.312750 ARP, Reply localhost.localdomain is-at 52:54:00:ef:35:18 (oui Unknown), length 28
^C
3 packets captured
4 packets received by filter
0 packets dropped by kernel
同样,从 192.168.1.6 我仅向 IP 级别发送以下 telnet:
[root@localhost ~]# telnet 192.168.1.5
Trying 192.168.1.5...
telnet: connect to address 192.168.1.5: No route to host
[root@localhost ~]#
而在192.168.1.5上,tcpdump
请求接收端的telnet
为:
[root@localhost ~]# tcpdump -i eth0 port 5432 or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
//THESE 2 LINES PRINTED BEFORE 2ND TELNET WAS RUN: 16:58:11.619638 ARP, Request who-has gateway tell localhost.localdomain, length 28
//THESE 2 LINES PRINTED BEFORE 2ND TELNET WAS RUN: 16:58:11.619940 ARP, Reply gateway is-at b8:ec:a3:11:74:6e (oui Unknown), length 46
16:58:35.555570 ARP, Request who-has 192.168.1.6 tell localhost.localdomain, length 28
16:58:35.555753 ARP, Reply 192.168.1.6 is-at 52:54:00:ab:31:40 (oui Unknown), length 28
^C
4 packets captured
4 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#
@cutrightjm 的建议:
在 上192.168.1.5
,我在一个 Putty 会话中输入了以下内容:
[root@localhost ~]# telnet localhost 5432
Trying ::1...
Connected to localhost.
Escape character is '^]'.
同时,在 的单独 Putty 会话中192.168.1.5
,我没有看到 的结果tcpdump
,如下所示:
[root@localhost ~]# tcpdump -i eth0 port 5432 or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#
@JeffSchaller 的建议:
根据 @JeffSchaller 的建议,我在192.168.1.6
.请注意,这是 CentOS 7,它已替换netstat
为ss
,并且已替换iptables
为firewalld
:
ss -rn
产生了 90 行输出。您能否建议一个有意义的grep
或其他过滤器来将输出减少到允许添加到帖子中的数量?
[root@localhost ~]# iptables -Ln
iptables: No chain/target/match by that name.
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports: 8080/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
[root@localhost ~]#
我还在 上运行了以下命令192.168.1.6
:
[root@localhost ~]# ip route
default via 192.168.1.1 dev eth0 proto static metric 100
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.6 metric 100
[root@localhost ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 52:54:00:ab:31:40 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.6/24 brd 192.168.1.255 scope global dynamic eth0
valid_lft 133013sec preferred_lft 133013sec
inet6 fe80::5054:ff:feab:3140/64 scope link
valid_lft forever preferred_lft forever
[root@localhost ~]#
删除两台机器上的防火墙
作为一项极端测试,我通过在两台计算机上键入192.168.1.5
和来删除两台计算机上的防火墙。然后我验证了这两个删除,如下所示: 192.168.1.6
yum remove firewalld
yum remove iptables
在192.168.1.5
:
[root@localhost ~]# systemctl status firewalld
Unit firewalld.service could not be found.
[root@localhost ~]# iptables -L -n
-bash: /sbin/iptables: No such file or directory
在192.168.1.6
:
[root@localhost ~]# systemctl status firewalld
Unit firewalld.service could not be found.
[root@localhost ~]# iptables -L -n
-bash: /sbin/iptables: No such file or directory
接下来,我输入tcpdump -i eth0 port 5432 or arp
,192.168.1.5
然后telnet 192.168.1.5 5432
输入192.168.1.6
。
telnet 的结果是打印在 上的以下拒绝消息192.168.1.6
:
[root@localhost ~]# telnet 192.168.1.5 5432
Trying 192.168.1.5...
telnet: connect to address 192.168.1.5: Connection refused
[root@localhost ~]#
同时,来自呼叫的tcpdump
打印输出是: 192.168.1.5
telnet
1.6
[root@localhost ~]# tcpdump -i eth0 port 5432 or arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
10:25:11.349238 ARP, Request who-has localhost.localdomain tell gateway, length 46
10:25:11.349261 ARP, Reply localhost.localdomain is-at 52:54:00:ef:35:18 (oui Unknown), length 28
10:25:14.391222 IP 192.168.1.6.53344 > localhost.localdomain.postgres: Flags [S], seq 3043089625, win 29200, options [mss 1460,sackOK,TS val 692769902 ecr 0,nop,wscale 7], length 0
10:25:14.391265 IP localhost.localdomain.postgres > 192.168.1.6.53344: Flags [R.], seq 0, ack 3043089626, win 0, length 0
10:25:19.395578 ARP, Request who-has 192.168.1.6 tell localhost.localdomain, length 28
10:25:19.396039 ARP, Reply 192.168.1.6 is-at 52:54:00:ab:31:40 (oui Unknown), length 28
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@localhost ~]#
为了确定 PostgreSQL 是否正在侦听port 5432
,我在 上输入了以下两个命令192.168.1.5
:
注意firewalld
iptables
运行以下命令时,两者仍然被删除:
首先,我查看了该pg_hba.conf
文件,192.168.1.5
发现有一条值得信任的规则192.168.1.6
:
[root@localhost ~]# vi /var/lib/pgsql/data/pg_hba.conf
# LOTS OF # COMMENTED LINES OMITTED HERE FOR BREVITY
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
host all all 192.168.1.6/24 trust
# IPv6 local connections:
host all all ::1/128 trust
接下来,我输入以下netstat
命令来192.168.1.5
查看是否有规则port 5432
:
[root@localhost ~]# netstat -anpt | grep LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 943/sshd
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 25166/postgres
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1483/master
tcp6 0 0 127.0.0.1:45228 :::* LISTEN 19089/java
tcp6 0 0 127.0.0.1:8020 :::* LISTEN 14338/java
tcp6 0 0 :::7990 :::* LISTEN 19089/java
tcp6 0 0 :::22 :::* LISTEN 943/sshd
tcp6 0 0 ::1:5432 :::* LISTEN 25166/postgres
tcp6 0 0 127.0.0.1:7992 :::* LISTEN 19066/java
tcp6 0 0 ::1:7992 :::* LISTEN 19066/java
tcp6 0 0 ::1:25 :::* LISTEN 1483/master
tcp6 0 0 127.0.0.1:36122 :::* LISTEN 19089/java
tcp6 0 0 :::8095 :::* LISTEN 14338/java
tcp6 0 0 :::5701 :::* LISTEN 19089/java
[root@localhost ~]#
答案1
第一个问题是您使用了错误的命令语法telnet
。运行man telnet
会告诉你语法是这样的:
telnet <host> [<port>]
所以在你的情况下,你应该运行这个:
telnet 192.168.1.5 5432
第二个问题是每个主机上都有防火墙规则,以防止出境流量至 5432/tcp。 (可能还有其他端口。)错误消息“没有到主机的路由”是iptables --j REJECT
由OUTPUT
具有--reject-with icmp-host-prohibited
.以下是创建此类规则的示例:
iptables -I OUTPUT -p tcp --dport 5432 -j REJECT --reject-with icmp-host-prohibited
这满足了由于成功而路由明显存在ping
但会话telnet
失败的情况。您自己可以使用命令iptables --line-numbers -nvL
(not iptables -Ln
,它尝试列出链的规则n
)来检查这一点。
确认确实可以建立流量的两个临时修复是
- 完全禁用两个系统上的防火墙
在两个系统上运行这两个命令(您可以随后通过替换
-I
为删除它们-D
)iptables -I INPUT -p tcp --src 192.168.1.5/30 -j ACCEPT iptables -I OUTPUT -p tcp --dst 192.168.1.5/30 -j ACCEPT
我(还)对 CentOS 7 防火墙工具还不够熟悉,无法为您提供完整的解决方案。我可以去挖掘,或者也许其他人可能想编辑这个答案来提供该信息。