我在 RHEL 8 VM 上设置了一个小型 apache Web 服务器,该特定子网 (10.xxx) 上的计算机可以访问该虚拟机,但另一个子网 (172.xxx) 上的计算机无法访问该服务器。该网络服务器无法访问互联网。
我尝试在故障排除时暂时禁用firewalld 和SELinux,但都没有效果。
在我的 Windows 机器上,IP 为 172.xxx(网站无法运行),我在 Powershell 中得到以下信息:
> tnc 172.22.6.9 -port 80
WARNING: TCP connect to (172.22.6.9 : 80) failed
ComputerName : 172.22.6.9
RemoteAddress : 172.22.6.9
RemotePort : 80
InterfaceAlias : Ethernet 3
SourceAddress : 172.16.195.117
PingSucceeded : True
PingReplyDetails (RTT) : 31 ms
TcpTestSucceeded : False
在 10.xxx 子网(网站工作的地方)上的另一台计算机上,我得到以下信息:
> tnc 172.22.6.9 -port 80
ComputerName : 172.22.6.9
RemoteAddress : 172.22.6.9
RemotePort : 80
InterfaceAlias : Ethernet
SourceAddress : 10.0.236.53
TcpTestSucceeded : True
Tcpdump 显示如下。我已经通过 ssh 登录了,所以我相信这就是端口 22 上显示的内容:
$ tcpdump -nn -i ens192 | grep 172.16.195.117
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
08:23:28.730189 IP 172.22.6.9.22 > 172.16.195.117.50600: Flags [P.], seq 664703141:664703221, ack 3210526827, win 488, length 80
08:23:28.730354 IP 172.22.6.9.22 > 172.16.195.117.50600: Flags [P.], seq 80:176, ack 1, win 488, length 96
08:23:28.730574 IP 172.22.6.9.22 > 172.16.195.117.50600: Flags [P.], seq 176:304, ack 1, win 488, length 128
08:23:28.730676 IP 172.22.6.9.22 > 172.16.195.117.50600: Flags [P.], seq 304:400, ack 1, win 488, length 96
08:23:28.730761 IP 172.22.6.9.22 > 172.16.195.117.50600: Flags [P.], seq 400:528, ack 1, win 488, length 128
08:23:28.730839 IP 172.22.6.9.22 > 172.16.195.117.50600: Flags [P.], seq 528:624, ack 1, win 488, length 96
08:23:28.760000 IP 172.16.195.117.50600 > 172.22.6.9.22: Flags [.], ack 624, win 1022, length 0
08:23:35.942843 IP 172.22.6.9.22 > 172.16.195.117.50600: Flags [P.], seq 624:896, ack 1, win 488, length 272
08:23:36.023088 IP 172.16.195.117.50600 > 172.22.6.9.22: Flags [.], ack 896, win 1021, length 0
08:24:01.938129 IP 172.22.6.9.22 > 172.16.195.117.50600: Flags [P.], seq 896:1200, ack 1, win 488, length 304
08:24:02.017682 IP 172.16.195.117.50600 > 172.22.6.9.22: Flags [.], ack 1200, win 1025, length 0
08:24:05.957775 IP 172.22.6.9.22 > 172.16.195.117.50600: Flags [P.], seq 1200:1472, ack 1, win 488, length 272
08:24:06.035691 IP 172.16.195.117.50600 > 172.22.6.9.22: Flags [.], ack 1472, win 1024, length 0
08:25:01.976052 IP 172.22.6.9.22 > 172.16.195.117.50600: Flags [P.], seq 1472:1776, ack 1, win 488, length 304
08:25:02.051839 IP 172.16.195.117.50600 > 172.22.6.9.22: Flags [.], ack 1776, win 1023, length 0
08:25:05.991836 IP 172.22.6.9.22 > 172.16.195.117.50600: Flags [P.], seq 1776:2048, ack 1, win 488, length 272
08:25:06.066825 IP 172.16.195.117.50600 > 172.22.6.9.22: Flags [.], ack 2048, win 1022, length 0
08:25:33.318464 IP 172.16.195.117 > 172.22.6.9: ICMP echo request, id 1, seq 282, length 40
08:25:33.318493 IP 172.22.6.9 > 172.16.195.117: ICMP echo reply, id 1, seq 282, length 40
即使防火墙服务被禁用,你们都会从哪里开始寻找?
文件 - /etc/httpd/conf/httpd.conf 显示Listen 80
当firewalld运行时我注意到的一件事是“可信”区域没有列出172.xxx CIDR地址。我不确定这是否重要,因为现在firewalld已被禁用:
$ firewall-cmd --get-active-zones
libvirt
interfaces: virbr0
public
interfaces: ens192
trusted
sources: 10.0.0.0/16
该命令的输出
firewall-cmd --get-active-zones | grep -P '^[^\s]' | xargs -I{} firewall-cmd --info-zone={}
libvirt (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: virbr0
sources:
services: dhcp dhcpv6 dns ssh tftp
ports:
protocols: icmp ipv6-icmp
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services: http https ssh
ports: 3389/tcp 9524/tcp 9524/udp 80/tcp 443/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted (active)
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources: 10.0.0.0/16
services:
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
还:
grep -PRn '^\s*Listen\s+' /etc/httpd 2>/dev/null
显示:
/etc/httpd/conf/httpd.conf:45:Listen 80
有任何想法吗?谢谢。