我正在尝试查看是否tcp port 80在 debian 11 服务器上打开。我使用 SSH 登录并执行了操作curl -v telnet://localhost:80。它说连接被拒绝。如果我对端口 22 执行相同操作,则表明我已连接到 SSH 服务。机器本地没有安装 telnet 或 netstat。它有 ss 和 nc
接口的 IP 为10.31.45.82,输出为sudo ss -antp:
Proto State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp LISTEN 0 32 10.31.45.82:80 0.0.0.0:* users:(("openvpn",pid=709,fd=7))
curl -v telnet://10.31.45.82:80显示连接被拒绝。与相同nc 10.31.45.82 80
我不确定是什么阻塞了端口。 IP 表输入链具有策略 ACCEPT,因此不会阻塞端口。有任何想法吗?我很困惑为什么 localhost 端口 80 显示为被拒绝。外部防火墙可以阻止本地主机上的 telnet 吗?我使用了 nc localhost 22,它正在连接到 SSH,并且显示ESTAB in ss -antp.但nc localhost 80显示连接被拒绝。
sudo iptables-save -c输出:
*filter
:INPUT ACCEPT [4958147:1463832998]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [4920575:611816160]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
[185417:9902718] -A FORWARD -j DOCKER-USER
[185417:9902718] -A FORWARD -j DOCKER-ISOLATION-STAGE-1
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[184273:9850974] -A FORWARD -o br-55d0dcfbc5d8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[256:13280] -A FORWARD -o br-55d0dcfbc5d8 -j DOCKER
[888:38464] -A FORWARD -i br-55d0dcfbc5d8 ! -o br-55d0dcfbc5d8 -j ACCEPT
[4:240] -A FORWARD -i br-55d0dcfbc5d8 -o br-55d0dcfbc5d8 -j ACCEPT
[4:176] -A DOCKER -d 172.22.0.3/32 ! -i br-55d0dcfbc5d8 -o br-55d0dcfbc5d8 -p tcp -m tcp --dport 9001 -j ACCEPT
[248:12864] -A DOCKER -d 172.10.0.3/32 ! -i br-55d0dcfbc5d8 -o br-55d0dcfbc5d8 -p tcp -m tcp --dport 1883 -j ACCEPT
[0:0] -A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
[888:38464] -A DOCKER-ISOLATION-STAGE-1 -i br-55d0dcfbc5d8 ! -o br-55d0dcfbc5d8 -j DOCKER-ISOLATION-STAGE-2
[185417:9902718] -A DOCKER-ISOLATION-STAGE-1 -j RETURN
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION-STAGE-2 -o br-55d0dcfbc5d8 -j DROP
[888:38464] -A DOCKER-ISOLATION-STAGE-2 -j RETURN
[185417:9902718] -A DOCKER-USER -j RETURN
COMMIT
# Completed on Sat Aug 13 16:58:44 2022
# Generated by iptables-save v1.8.7 on Sat Aug 13 16:58:44 2022
*nat
:PREROUTING ACCEPT [43383:2953292]
:INPUT ACCEPT [43379:2953052]
:OUTPUT ACCEPT [137397:7281952]
:POSTROUTING ACCEPT [137648:7294828]
:DOCKER - [0:0]
[0:0] -A PREROUTING -d 10.31.45.83/32 -p udp -m udp --dport 80 -j REDIRECT --to-ports 123
[39282:2267543] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[8:448] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[6:456] -A POSTROUTING -s 172.22.0.0/16 ! -o br-55d0dcfbc5d8 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.22.0.3/32 -d 172.22.0.3/32 -p tcp -m tcp --dport 9001 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.22.0.3/32 -d 172.22.0.3/32 -p tcp -m tcp --dport 1883 -j MASQUERADE
[0:0] -A DOCKER -i docker0 -j RETURN
[0:0] -A DOCKER -i br-55d0dcfbc5d8 -j RETURN
[5:228] -A DOCKER ! -i br-55d0dcfbc5d8 -p tcp -m tcp --dport 9001 -j DNAT --to-destination 172.22.0.3:9001
[248:12864] -A DOCKER ! -i br-55d0dcfbc5d8 -p tcp -m tcp --dport 1883 -j DNAT --to-destination 172.22.0.3:1883
COMMIT
并且 nftables 未安装:
-bash: nftables: command not found