如何打开已过滤的端口

如何打开已过滤的端口

不知何故,我不断地破坏我的 ubuntu 服务器上的 ssh,但我不明白为什么。我的 ddns 设置为 myserver.asuscomm.com,并且端口在我的路由器上转发。其中一个工作正常,但当我从 ddns 连接时,另外两个显示端口已被过滤。当我从同一网络连接时,端口打开。

这可能是我的路由器上的某些设置有问题吗?假设 ssh 端口是 22100。netstat -tlpn表明 sshd 正在侦听此端口,并且如果我运行,我可以允许来自任何地方的流量sudo ufw status

来自同一网络:

nmap -Pn -p 22100 192.168.50.x
Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-01 10:13 CDT
Nmap scan report for 192.168.50.x
Host is up (0.00075s latency).

PORT      STATE SERVICE
22100/tcp open  optohost003

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

从 ddn 断网:

nmap -p 22100 myserver.asuscomm.com
Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-01 10:14 CDT
Nmap scan report for myserver.asuscomm.com (x.y.z.123)
Host is up (0.025s latency).
rDNS record for x.y.z.123: c-x-y-z-123.abc.state.isp.net

PORT      STATE    SERVICE
22100/tcp filtered optohost003

Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds

对于这个特定的服务器,它还说当我执行标准 nmap 时它已关闭,因此我必须添加-Pn标志。另一台服务器也有同样的问题,但 nmap 可以在没有-Pn.

有谁知道我如何解决这个问题?这些端口都在我的华硕路由器上转发,我不知道我可以更改哪些其他设置。我应该在不同的端口上尝试 ssh 吗?


编辑:输出netstat -nlp(端口 22100 是我的 ssh)

tcp        0      0 127.0.0.1:32401         0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22100           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:32600         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:41113         0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:44935         0.0.0.0:*               LISTEN      -
tcp        0      0 192.168.50.7:27017      0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      -
tcp6       0      0 :::80                   :::*                    LISTEN      -
tcp6       0      0 :::32400                :::*                    LISTEN      -
tcp6       0      0 :::22100                :::*                    LISTEN      -
tcp6       0      0 :::445                  :::*                    LISTEN      -
tcp6       0      0 :::139                  :::*                    LISTEN      -
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -
udp        0      0 192.168.50.7:68         0.0.0.0:*                           -
udp        0      0 172.17.255.255:137      0.0.0.0:*                           -
udp        0      0 172.17.0.1:137          0.0.0.0:*                           -
udp        0      0 192.168.50.255:137      0.0.0.0:*                           -
udp        0      0 192.168.50.7:137        0.0.0.0:*                           -
udp        0      0 0.0.0.0:137             0.0.0.0:*                           -
udp        0      0 172.17.255.255:138      0.0.0.0:*                           -
udp        0      0 172.17.0.1:138          0.0.0.0:*                           -
udp        0      0 192.168.50.255:138      0.0.0.0:*                           -
udp        0      0 192.168.50.7:138        0.0.0.0:*                           -
udp        0      0 0.0.0.0:138             0.0.0.0:*                           -
udp        0      0 127.0.0.1:33564         0.0.0.0:*                           -
udp        0      0 0.0.0.0:46034           0.0.0.0:*                           -
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           -
udp        0      0 127.0.0.1:42818         0.0.0.0:*                           -
udp        0      0 0.0.0.0:51011           0.0.0.0:*                           -
udp        0      0 0.0.0.0:1901            0.0.0.0:*                           -
udp        0      0 192.168.50.7:38951      0.0.0.0:*                           -
udp        0      0 0.0.0.0:40101           0.0.0.0:*                           -
udp        0      0 0.0.0.0:32410           0.0.0.0:*                           -
udp        0      0 0.0.0.0:32412           0.0.0.0:*                           -
udp        0      0 0.0.0.0:32413           0.0.0.0:*                           -
udp        0      0 0.0.0.0:32414           0.0.0.0:*                           -
udp        0      0 192.168.50.7:57195      0.0.0.0:*                           -
udp        0      0 192.168.50.7:57254      0.0.0.0:*                           -
udp6       0      0 :::49275                :::*                                -
udp6       0      0 :::5353                 :::*                                -
raw6       0      0 :::58                   :::*                    7           -

的输出sudo iptables -nvL

Chain INPUT (policy DROP 4793 packets, 1589K bytes)
 pkts bytes target     prot opt in     out     source               destination
 666K  472M ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 666K  472M ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 262K   63M ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 155K   51M ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 155K   51M ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 155K   51M ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-USER  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DOCKER-ISOLATION-STAGE-1  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0
    0     0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 212K   16M ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 212K   16M ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
44581 3006K ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
44581 3006K ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
44581 3006K ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
44581 3006K ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOCKER-ISOLATION-STAGE-2  all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      docker0  0.0.0.0/0            0.0.0.0/0
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain DOCKER-USER (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-after-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
  326 26112 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:137
  730  180K ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:138
    2    88 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:139
    2    88 ufw-skip-to-policy-input  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:445
   27  8992 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ufw-skip-to-policy-input  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
 106K   11M ufw-skip-to-policy-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
 4337 1529K LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-after-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ufw-user-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-before-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
40237 2361K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 308K  387M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
 318K   82M ufw-not-local  all  --  *      *       0.0.0.0/0            0.0.0.0/0
 1987  325K ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251          udp dpt:5353
53945   19M ACCEPT     udp  --  *      *       0.0.0.0/0            239.255.255.250      udp dpt:1900
 262K   63M ufw-user-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-before-logging-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-logging-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-before-output (1 references)
 pkts bytes target     prot opt in     out     source               destination
40237 2361K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
 128K   11M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
44581 3006K ufw-user-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID limit: avg 3/min burst 10
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
 pkts bytes target     prot opt in     out     source               destination
 151K   51M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL
60270   19M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST
 107K   12M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST
    0     0 ufw-logging-deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 10
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-reject-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-reject-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-skip-to-policy-input (7 references)
 pkts bytes target     prot opt in     out     source               destination
 107K   12M DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-track-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-input (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-track-output (1 references)
 pkts bytes target     prot opt in     out     source               destination
  173 10348 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW
44407 2995K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW

Chain ufw-user-forward (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       73.6.251.121         0.0.0.0/0            tcp dpt:27017
    0     0 ACCEPT     udp  --  *      *       73.6.251.121         0.0.0.0/0            udp dpt:27017
   53  2812 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22001
    6   360 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22000
    3   132 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21
    6   344 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22100

Chain ufw-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain ufw-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination

Chain ufw-user-output (1 references)
 pkts bytes target     prot opt in     out     source               destination

iptables -t nat -nvL:

Chain PREROUTING (policy ACCEPT 35687 packets, 8678K bytes)
 pkts bytes target     prot opt in     out     source               destination
 4099 1364K DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 6440 packets, 1931K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3131 packets, 314K bytes)
 pkts bytes target     prot opt in     out     source               destination
    1   278 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 3131 packets, 314K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0

iptables -t mangle -nvL:

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

另一个编辑: 除此之外,我最后检查var/log/syslog并注意到一些有趣的事情:ufw 正在阻止从我的路由器到服务器的连接。

Oct  1 16:36:00 user kernel: [   71.994434] [UFW BLOCK] IN=eth0 OUT= MAC=mac_address_here SRC=192.168.50.1 DST=192.168.50.7 LEN=386 TOS=0x00 PREC=0x00 TTL=64 ID=49481 PROTO=UDP SPT=1900 DPT=56241 LEN=366 

我设置ufw为允许进出 192.168.50.1 的流量,但没有骰子。唔...

答案1

我们假设myserver.asuscomm.com确实指向您服务器的路由器,并且您的路由器正确地将端口转发到服务器。

服务可以在环回或 LAN 地址上侦听和活动,但在其他地方不可用。这似乎证明了您所看到的。

因此你需要看看,

  • 端口正在监听什么
  • 这些服务正在侦听哪些接口/地址
  • 您实施了哪些防火墙规则
  • 您实施了哪些应用程序级别连接规则

其中前两个可以通过诸如 之类的命令查看netstat -nlp。您在问题中提供了这些详细信息:

Proto Recv-Q Send-Q Local Address  Foreign Address  State   PID/Program name
tcp        0      0 0.0.0.0:22100  0.0.0.0:*        LISTEN  -
tcp6       0      0 :::22100       :::*             LISTEN  -

这些确认端口 22100 上的服务正在所有接口 (0.0.0.0::) 上侦听任何入站流量。

iptables可以使用以下命令检查实现的防火墙规则(如果您正在使用nftables,我无法直接帮助您):

iptables -nvL
iptables -t nat -nvL
iptables -t mangle -nvL

查看您添加到问题中的输出,我可以看到ACCEPTUFW 防火墙规则集中有一条规则允许入站 TCP 流量到达端口 22100:

Chain ufw-user-input (1 references)
 pkts bytes target     prot opt in     out     source               destination
  […]
    6   344 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22100

应用程序级别连接规则通常在/etc/hosts.allow和/或中定义/etc/hosts.deny,但也可以在特定于应用程序的配置文件(/etc/ssh/sshd_config例如 )中找到。

我没有发现这里的服务器设置有任何问题,所以我会仔细检查,

  • 您正在使用正确的端口从外部连接到正确的 IP 地址(您的一些示例显示端口1234,其他示例显示端口22100
  • 您的 ISP 允许此端口上的入站 TCP/IP 流量
  • 您的路由器的端口转发确实设置正确

顺便说一句,您可能会遇到术语问题。 ”当我从 ddns 连接时“这真的没有意义。你无法连接”“ DDNS,因为它只是一种将域名转换为(动态)IP 地址的服务。我想你是在说”当我从网络外部连接到通过 DDNS 解析的 IP 地址时”。

相关内容