我的 VPS 出了问题。简单的例子:
<?php $ip = $_SERVER['REMOTE_ADDR'];
Echo "User IP : " . $ip;
?>
该代码应该显示用户 IP 地址,但它显示的是 HN IP 地址(而不是 VPS IP 地址)。
再次,当我通过 ssh 登录到虚拟容器时,登录的 IP 是硬件节点的 IP。
类似的问题在这里:OpenVZ Host 是源 IP 地址而不是实际的网络浏览者?
以下是 openVZ 配置:
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.all.forwarding = 1
# Controls source route verification
net.ipv4.conf.all.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 1
# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1
# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1
# Controls the maximum size of a message, in bytes
kernel.msgmnb = 65536
# Controls the default maxmimum size of a mesage queue
kernel.msgmax = 65536
# Controls the maximum shared segment size, in bytes
kernel.shmmax = 68719476736
# Controls the maximum number of shared memory segments, in pages
kernel.shmall = 4294967296
# Disable proxy arp
net.ipv4.conf.default.proxy_arp = 0
# We do not want all our interfaces to send redirects
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.ip_conntrack_max=32760
IPTables 配置
[root@nod1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
all -- clienti.alba.rdsnet.ro anywhere
all -- anywhere clienti.alba.rdsnet.ro
all -- clienti.alba.rdsnet.ro anywhere
all -- anywhere clienti.alba.rdsnet.ro
all -- clienti.alba.rdsnet.ro anywhere
all -- anywhere clienti.alba.rdsnet.ro
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTAB LISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:s sh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:s mtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:h ttp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:f tp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:h ttps
REJECT all -- anywhere anywhere reject-with icmp-ho
有人能帮帮我吗?另外,我不是专家,所以如果有人能一步一步解释,我将不胜感激。
答案1
您能否粘贴一下您的 iptables 配置的输出?您是否尝试过 Jerry Tunin 建议的潜在解决方案?
iptables -t nat -L
iptables -t mangle -L
答案2
好的,这就是我所做的。我停止了 iptables 服务并从 /etc/sysconfig/iptables 中删除了包含 mangle 和 nat 的部分。按照 Adam 的指示,我从文件 /etc/sysconfig/vz 中的“## IPv4 iptables kernel modules”行部分中删除了“iptable_mangle”。我做了:
iptables -t nat -L iptables -t mangle -L
我已重新启动 iptables 服务并且问题解决。
现在我可以在服务器日志中看到我的私有 IP :D
非常感谢 Adam 指出了 mangle 和 nat 的问题。
祝你好运!
答案3
您很可能在所有 VPS 机器上都有一个环回设备,因此请尝试将其从整体配置中删除,或者出于测试目的访问 VPS 并输入:
ifconfig lo 下
再次检查传出的IP。
谨致问候,B.Bozhev
答案4
您的 HN 中是否有代理可以将请求发送到 CT 中的服务器?
如果是这种情况,您应该告诉您的代理将客户端 IP 转发到您的 CT 服务器,然后读取 X-Forwarding-For 标头。