我有两台 centos 7.2 服务器。一台机器的 IP 是 10.104.196.18,另一台机器的 IP 是 10.240.197.21。我可以成功地从 10.104.196.18 ssh 到 10.240.197.21。但无法从 10.240.197.21 ssh 到 10.104.196.18。
ssh日志如下:
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.104.196.18 [10.104.196.18] port 6990.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug3: Incorrect RSA1 identifier
debug3: Could not load "/root/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
sshd 日志如下:
[root@localhost ~]# /usr/sbin/sshd -dD -p 10000
debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: key_parse_private2: missing begin marker
debug1: read PEM private key done: type ECDSA
debug1: private host key: #1 type 3 ECDSA
debug1: private host key: #2 type 4 ED25519
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-dD'
debug1: rexec_argv[2]='-p'
debug1: rexec_argv[3]='10000'
Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 10000 on 0.0.0.0.
Server listening on 0.0.0.0 port 10000.
debug1: Bind to port 10000 on ::.
Server listening on :: port 10000.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 10.96.203.72 port 49845 on 10.240.197.21 port 10000
因此,显然客户端和服务器都在等待交换身份。从 tcpdump 的数据包分析中,我们得到了证实。
来自 10.240.197.21 的 tcpdump
[root@localhost ~]# tcpdump -i enp22s0f3 host 10.104.196.18 -s0 -vv -X -c 1000
tcpdump: listening on enp22s0f3, link-type EN10MB (Ethernet), capture size 65535 bytes
13:22:37.402757 IP (tos 0x0, ttl 64, id 25620, offset 0, flags [DF], proto TCP (6), length 60)
localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [S], cksum 0x9eae (incorrect -> 0x290b), seq 2201485227, win 29200, options [mss 1460,sackOK,TS val 300522431 ecr 0,nop,wscale 7], length 0
0x0000: 4500 003c 6414 4000 4006 3828 0af0 c515 E..<d.@[email protected](....
0x0010: 0a68 c412 ddc2 0016 8337 ffab 0000 0000 .h.......7......
0x0020: a002 7210 9eae 0000 0204 05b4 0402 080a ..r.............
0x0030: 11e9 9bbf 0000 0000 0103 0307 ............
13:22:37.403162 IP (tos 0x0, ttl 60, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.104.196.18.ssh > localhost.localdomain.56770: Flags [S.], cksum 0x2b22 (correct), seq 4104511511, ack 2201485228, win 28960, options [mss 1460,sackOK,TS val 312416107 ecr 300522431,nop,wscale 7], length 0
0x0000: 4500 003c 0000 4000 3c06 a03c 0a68 c412 E..<..@.<..<.h..
0x0010: 0af0 c515 0016 ddc2 f4a5 e017 8337 ffac .............7..
0x0020: a012 7120 2b22 0000 0204 05b4 0402 080a ..q.+"..........
0x0030: 129f 176b 11e9 9bbf 0103 0307 ...k........
13:22:37.403219 IP (tos 0x0, ttl 64, id 25621, offset 0, flags [DF], proto TCP (6), length 52)
localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [.], cksum 0x9ea6 (incorrect -> 0xca29), seq 1, ack 1, win 229, options [nop,nop,TS val 300522431 ecr 312416107], length 0
0x0000: 4500 0034 6415 4000 4006 382f 0af0 c515 E..4d.@[email protected]/....
0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7......
0x0020: 8010 00e5 9ea6 0000 0101 080a 11e9 9bbf ................
0x0030: 129f 176b ...k
13:22:37.403801 IP (tos 0x0, ttl 64, id 25622, offset 0, flags [DF], proto TCP (6), length 75)
localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0xd432), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300522432 ecr 312416107], length 23
0x0000: 4500 004b 6416 4000 4006 3817 0af0 c515 E..Kd.@[email protected].....
0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7......
0x0020: 8018 00e5 9ebd 0000 0101 080a 11e9 9bc0 ................
0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open
0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1..
13:22:37.604502 IP (tos 0x0, ttl 64, id 25623, offset 0, flags [DF], proto TCP (6), length 75)
localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0xd369), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300522633 ecr 312416107], length 23
0x0000: 4500 004b 6417 4000 4006 3816 0af0 c515 E..Kd.@[email protected].....
0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7......
0x0020: 8018 00e5 9ebd 0000 0101 080a 11e9 9c89 ................
0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open
0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1..
13:22:37.808499 IP (tos 0x0, ttl 64, id 25624, offset 0, flags [DF], proto TCP (6), length 75)
localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0xd29d), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300522837 ecr 312416107], length 23
0x0000: 4500 004b 6418 4000 4006 3815 0af0 c515 E..Kd.@[email protected].....
0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7......
0x0020: 8018 00e5 9ebd 0000 0101 080a 11e9 9d55 ...............U
0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open
0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1..
13:22:38.217526 IP (tos 0x0, ttl 64, id 25625, offset 0, flags [DF], proto TCP (6), length 75)
localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0xd104), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300523246 ecr 312416107], length 23
0x0000: 4500 004b 6419 4000 4006 3814 0af0 c515 E..Kd.@[email protected].....
0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7......
0x0020: 8018 00e5 9ebd 0000 0101 080a 11e9 9eee ................
0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open
0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1..
13:22:39.035515 IP (tos 0x0, ttl 64, id 25626, offset 0, flags [DF], proto TCP (6), length 75)
localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0xcdd2), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300524064 ecr 312416107], length 23
0x0000: 4500 004b 641a 4000 4006 3813 0af0 c515 E..Kd.@[email protected].....
0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7......
0x0020: 8018 00e5 9ebd 0000 0101 080a 11e9 a220 ................
0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open
0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1..
13:22:40.671529 IP (tos 0x0, ttl 64, id 25627, offset 0, flags [DF], proto TCP (6), length 75)
localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0xc76e), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300525700 ecr 312416107], length 23
0x0000: 4500 004b 641b 4000 4006 3812 0af0 c515 E..Kd.@[email protected].....
0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7......
0x0020: 8018 00e5 9ebd 0000 0101 080a 11e9 a884 ................
0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open
0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1..
13:22:43.947534 IP (tos 0x0, ttl 64, id 25628, offset 0, flags [DF], proto TCP (6), length 75)
localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0xbaa2), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300528976 ecr 312416107], length 23
0x0000: 4500 004b 641c 4000 4006 3811 0af0 c515 E..Kd.@[email protected].....
0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7......
0x0020: 8018 00e5 9ebd 0000 0101 080a 11e9 b550 ...............P
0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open
0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1..
13:22:50.491548 IP (tos 0x0, ttl 64, id 25629, offset 0, flags [DF], proto TCP (6), length 75)
localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0xa112), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300535520 ecr 312416107], length 23
0x0000: 4500 004b 641d 4000 4006 3810 0af0 c515 E..Kd.@[email protected].....
0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7......
0x0020: 8018 00e5 9ebd 0000 0101 080a 11e9 cee0 ................
0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open
0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1..
13:23:03.579533 IP (tos 0x0, ttl 64, id 25630, offset 0, flags [DF], proto TCP (6), length 75)
localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0x6df2), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300548608 ecr 312416107], length 23
0x0000: 4500 004b 641e 4000 4006 380f 0af0 c515 E..Kd.@[email protected].....
0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7......
0x0020: 8018 00e5 9ebd 0000 0101 080a 11ea 0200 ................
0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open
0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1..
13:23:29.755543 IP (tos 0x0, ttl 64, id 25631, offset 0, flags [DF], proto TCP (6), length 75)
localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0x07b2), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300574784 ecr 312416107], length 23
0x0000: 4500 004b 641f 4000 4006 380e 0af0 c515 E..Kd.@[email protected].....
0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7......
0x0020: 8018 00e5 9ebd 0000 0101 080a 11ea 6840 ..............h@
0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open
0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1..
13:24:22.171532 IP (tos 0x0, ttl 64, id 25632, offset 0, flags [DF], proto TCP (6), length 75)
localhost.localdomain.56770 > 10.104.196.18.ssh: Flags [P.], cksum 0x9ebd (incorrect -> 0x3af1), seq 1:24, ack 1, win 229, options [nop,nop,TS val 300627200 ecr 312416107], length 23
0x0000: 4500 004b 6420 4000 4006 380d 0af0 c515 E..Kd.@[email protected].....
0x0010: 0a68 c412 ddc2 0016 8337 ffac f4a5 e018 .h.......7......
0x0020: 8018 00e5 9ebd 0000 0101 080a 11eb 3500 ..............5.
0x0030: 129f 176b 5353 482d 322e 302d 4f70 656e ...kSSH-2.0-Open
0x0040: 5353 485f 362e 362e 310d 0a SSH_6.6.1..
来自 10.104.196.18 的 tcpdump
01:22:37.400147 IP 10.240.197.21.56770 > localhost.localdomain.ssh: Flags [S], seq 2201485227, win 29200, options [mss 1460,sackOK,TS val 300522431 ecr 0,nop,wscale 7], length 0
01:22:37.400219 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [S.], seq 4104511511, ack 2201485228, win 28960, options [mss 1460,sackOK,TS val 312416107 ecr 300522431,nop,wscale 7], length 0
01:22:37.400476 IP 10.240.197.21.56770 > localhost.localdomain.ssh: Flags [.], ack 1, win 229, options [nop,nop,TS val 300522431 ecr 312416107], length 0
01:22:37.426399 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312416133 ecr 300522431], length 23
01:22:37.626271 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312416333 ecr 300522431], length 23
01:22:37.831584 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312416538 ecr 300522431], length 23
01:22:38.242549 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312416949 ecr 300522431], length 23
01:22:39.065132 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312417772 ecr 300522431], length 23
01:22:40.709282 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312419416 ecr 300522431], length 23
01:22:43.997804 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312422704 ecr 300522431], length 23
01:22:50.574310 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312429281 ecr 300522431], length 23
01:23:03.725361 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312442432 ecr 300522431], length 23
01:23:30.029758 IP localhost.localdomain.ssh > 10.240.197.21.56770: Flags [P.], seq 1:24, ack 1, win 227, options [nop,nop,TS val 312468736 ecr 300522431], length 23
我也通过这样的脚本禁用了两个防火墙。
systemctl stop firewalld
systemctl disable firewalld
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
iptables -t security -F
iptables -t security -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
结果听起来不错:
[root@localhost examples]# ~/disable_firewall.sh
[root@localhost examples]# iptables-save
# Generated by iptables-save v1.4.21 on Sat Oct 14 13:08:28 2017
*security
:INPUT ACCEPT [220:24998]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [109:12506]
COMMIT
# Completed on Sat Oct 14 13:08:28 2017
# Generated by iptables-save v1.4.21 on Sat Oct 14 13:08:28 2017
*raw
:PREROUTING ACCEPT [692:70796]
:OUTPUT ACCEPT [109:12506]
COMMIT
# Completed on Sat Oct 14 13:08:28 2017
# Generated by iptables-save v1.4.21 on Sat Oct 14 13:08:28 2017
*mangle
:PREROUTING ACCEPT [692:70796]
:INPUT ACCEPT [220:24998]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [109:12506]
:POSTROUTING ACCEPT [109:12506]
COMMIT
# Completed on Sat Oct 14 13:08:28 2017
# Generated by iptables-save v1.4.21 on Sat Oct 14 13:08:28 2017
*nat
:PREROUTING ACCEPT [395:43515]
:INPUT ACCEPT [32:7088]
:OUTPUT ACCEPT [17:1020]
:POSTROUTING ACCEPT [17:1020]
COMMIT
# Completed on Sat Oct 14 13:08:28 2017
# Generated by iptables-save v1.4.21 on Sat Oct 14 13:08:28 2017
*filter
:INPUT ACCEPT [220:24998]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [109:12506]
COMMIT
并且双方都可以成功 ping 通对方。所以我很困惑为什么数据包只会单向丢失?
答案1
查看您的捕获,TCP 三次握手执行良好。三次握手后服务器发送的数据包包含版本字符串公告,在您的例子中为:
SSH-2.0-OpenSSH_6.6.1
此数据包永远不会到达客户端。这可能表明存在应用程序防火墙在将 TCP 会话归类为 SSH 后悄悄地丢弃了该会话(另请注意,应用程序防火墙可以单向运行)