不知何故,我不断地破坏我的 ubuntu 服务器上的 ssh,但我不明白为什么。我的 ddns 设置为 myserver.asuscomm.com,并且端口在我的路由器上转发。其中一个工作正常,但当我从 ddns 连接时,另外两个显示端口已被过滤。当我从同一网络连接时,端口打开。
这可能是我的路由器上的某些设置有问题吗?假设 ssh 端口是 22100。netstat -tlpn
表明 sshd 正在侦听此端口,并且如果我运行,我可以允许来自任何地方的流量sudo ufw status
。
来自同一网络:
nmap -Pn -p 22100 192.168.50.x
Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-01 10:13 CDT
Nmap scan report for 192.168.50.x
Host is up (0.00075s latency).
PORT STATE SERVICE
22100/tcp open optohost003
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
从 ddn 断网:
nmap -p 22100 myserver.asuscomm.com
Starting Nmap 7.80 ( https://nmap.org ) at 2021-10-01 10:14 CDT
Nmap scan report for myserver.asuscomm.com (x.y.z.123)
Host is up (0.025s latency).
rDNS record for x.y.z.123: c-x-y-z-123.abc.state.isp.net
PORT STATE SERVICE
22100/tcp filtered optohost003
Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds
对于这个特定的服务器,它还说当我执行标准 nmap 时它已关闭,因此我必须添加-Pn
标志。另一台服务器也有同样的问题,但 nmap 可以在没有-Pn
.
有谁知道我如何解决这个问题?这些端口都在我的华硕路由器上转发,我不知道我可以更改哪些其他设置。我应该在不同的端口上尝试 ssh 吗?
编辑:输出netstat -nlp
(端口 22100 是我的 ssh)
tcp 0 0 127.0.0.1:32401 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22100 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:32600 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:41113 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:44935 0.0.0.0:* LISTEN -
tcp 0 0 192.168.50.7:27017 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::32400 :::* LISTEN -
tcp6 0 0 :::22100 :::* LISTEN -
tcp6 0 0 :::445 :::* LISTEN -
tcp6 0 0 :::139 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 192.168.50.7:68 0.0.0.0:* -
udp 0 0 172.17.255.255:137 0.0.0.0:* -
udp 0 0 172.17.0.1:137 0.0.0.0:* -
udp 0 0 192.168.50.255:137 0.0.0.0:* -
udp 0 0 192.168.50.7:137 0.0.0.0:* -
udp 0 0 0.0.0.0:137 0.0.0.0:* -
udp 0 0 172.17.255.255:138 0.0.0.0:* -
udp 0 0 172.17.0.1:138 0.0.0.0:* -
udp 0 0 192.168.50.255:138 0.0.0.0:* -
udp 0 0 192.168.50.7:138 0.0.0.0:* -
udp 0 0 0.0.0.0:138 0.0.0.0:* -
udp 0 0 127.0.0.1:33564 0.0.0.0:* -
udp 0 0 0.0.0.0:46034 0.0.0.0:* -
udp 0 0 0.0.0.0:5353 0.0.0.0:* -
udp 0 0 127.0.0.1:42818 0.0.0.0:* -
udp 0 0 0.0.0.0:51011 0.0.0.0:* -
udp 0 0 0.0.0.0:1901 0.0.0.0:* -
udp 0 0 192.168.50.7:38951 0.0.0.0:* -
udp 0 0 0.0.0.0:40101 0.0.0.0:* -
udp 0 0 0.0.0.0:32410 0.0.0.0:* -
udp 0 0 0.0.0.0:32412 0.0.0.0:* -
udp 0 0 0.0.0.0:32413 0.0.0.0:* -
udp 0 0 0.0.0.0:32414 0.0.0.0:* -
udp 0 0 192.168.50.7:57195 0.0.0.0:* -
udp 0 0 192.168.50.7:57254 0.0.0.0:* -
udp6 0 0 :::49275 :::* -
udp6 0 0 :::5353 :::* -
raw6 0 0 :::58 :::* 7 -
的输出sudo iptables -nvL
Chain INPUT (policy DROP 4793 packets, 1589K bytes)
pkts bytes target prot opt in out source destination
666K 472M ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
666K 472M ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0
262K 63M ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0
155K 51M ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0
155K 51M ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
155K 51M ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
212K 16M ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
212K 16M ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
44581 3006K ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
44581 3006K ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
44581 3006K ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
44581 3006K ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
326 26112 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:137
730 180K ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:138
2 88 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139
2 88 ufw-skip-to-policy-input tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445
27 8992 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ufw-skip-to-policy-input udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68
106K 11M ufw-skip-to-policy-input all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-input (1 references)
pkts bytes target prot opt in out source destination
4337 1529K LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-after-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ufw-user-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-input (1 references)
pkts bytes target prot opt in out source destination
40237 2361K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
308K 387M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
318K 82M ufw-not-local all -- * * 0.0.0.0/0 0.0.0.0/0
1987 325K ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353
53945 19M ACCEPT udp -- * * 0.0.0.0/0 239.255.255.250 udp dpt:1900
262K 63M ufw-user-input all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-before-logging-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (1 references)
pkts bytes target prot opt in out source destination
40237 2361K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
128K 11M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
44581 3006K ufw-user-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw-logging-deny (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID limit: avg 3/min burst 10
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw-not-local (1 references)
pkts bytes target prot opt in out source destination
151K 51M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
60270 19M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type MULTICAST
107K 12M RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type BROADCAST
0 0 ufw-logging-deny all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 10
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-reject-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-input (7 references)
pkts bytes target prot opt in out source destination
107K 12M DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-track-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (1 references)
pkts bytes target prot opt in out source destination
173 10348 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
44407 2995K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW
Chain ufw-user-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 73.6.251.121 0.0.0.0/0 tcp dpt:27017
0 0 ACCEPT udp -- * * 73.6.251.121 0.0.0.0/0 udp dpt:27017
53 2812 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22001
6 360 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22000
3 132 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
6 344 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22100
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (1 references)
pkts bytes target prot opt in out source destination
iptables -t nat -nvL
:
Chain PREROUTING (policy ACCEPT 35687 packets, 8678K bytes)
pkts bytes target prot opt in out source destination
4099 1364K DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 6440 packets, 1931K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3131 packets, 314K bytes)
pkts bytes target prot opt in out source destination
1 278 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 3131 packets, 314K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
iptables -t mangle -nvL
:
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
另一个编辑:
除此之外,我最后检查var/log/syslog
并注意到一些有趣的事情:ufw 正在阻止从我的路由器到服务器的连接。
Oct 1 16:36:00 user kernel: [ 71.994434] [UFW BLOCK] IN=eth0 OUT= MAC=mac_address_here SRC=192.168.50.1 DST=192.168.50.7 LEN=386 TOS=0x00 PREC=0x00 TTL=64 ID=49481 PROTO=UDP SPT=1900 DPT=56241 LEN=366
我设置ufw
为允许进出 192.168.50.1 的流量,但没有骰子。唔...
答案1
我们假设myserver.asuscomm.com
确实指向您服务器的路由器,并且您的路由器正确地将端口转发到服务器。
服务可以在环回或 LAN 地址上侦听和活动,但在其他地方不可用。这似乎证明了您所看到的。
因此你需要看看,
- 端口正在监听什么
- 这些服务正在侦听哪些接口/地址
- 您实施了哪些防火墙规则
- 您实施了哪些应用程序级别连接规则
其中前两个可以通过诸如 之类的命令查看netstat -nlp
。您在问题中提供了这些详细信息:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22100 0.0.0.0:* LISTEN - tcp6 0 0 :::22100 :::* LISTEN -
这些确认端口 22100 上的服务正在所有接口 (0.0.0.0
和::
) 上侦听任何入站流量。
iptables
可以使用以下命令检查实现的防火墙规则(如果您正在使用nftables
,我无法直接帮助您):
iptables -nvL
iptables -t nat -nvL
iptables -t mangle -nvL
查看您添加到问题中的输出,我可以看到ACCEPT
UFW 防火墙规则集中有一条规则允许入站 TCP 流量到达端口 22100:
Chain ufw-user-input (1 references) pkts bytes target prot opt in out source destination […] 6 344 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22100
应用程序级别连接规则通常在/etc/hosts.allow
和/或中定义/etc/hosts.deny
,但也可以在特定于应用程序的配置文件(/etc/ssh/sshd_config
例如 )中找到。
我没有发现这里的服务器设置有任何问题,所以我会仔细检查,
- 您正在使用正确的端口从外部连接到正确的 IP 地址(您的一些示例显示端口
1234
,其他示例显示端口22100
) - 您的 ISP 允许此端口上的入站 TCP/IP 流量
- 您的路由器的端口转发确实设置正确
顺便说一句,您可能会遇到术语问题。 ”当我从 ddns 连接时“这真的没有意义。你无法连接”从“ DDNS,因为它只是一种将域名转换为(动态)IP 地址的服务。我想你是在说”当我从网络外部连接到通过 DDNS 解析的 IP 地址时”。