端口打开但无法访问 Ubuntu 14.04

端口打开但无法访问 Ubuntu 14.04

我读了这么多,也修改了这么多,我甚至不知道从哪里开始。端口 80 和 22 是开放的,在本地网络内部和外部都可以访问,并且工作正常。但是,443 和 32400 在 iptables 中是开放的,服务正在监听,但从本地网络或互联网上的计算机连接到这些端口上的服务会超时。我可以使用sudo wget http://domain.com:32400或从服务器本身的 CLI 访问服务sudo wget https://domain.com,并且它工作正常。

看起来它们都通过了 iptables,因为 iptables 显示了这些规则的数据包和字节,但是没有任何日志显示这些请求的任何内容。

这两项服务在我的上一个服务器(ClearOS)上运行良好,所以我的 ISP 没有阻止它们。

$ nmap redactedIP
Starting Nmap 6.40 ( http://nmap.org ) at 2015-01-13 15:56 CST
Nmap scan report for redactedIP.dhcp.krny.ne.charter.com (redactedIP)
Host is up (0.000029s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
53/tcp  open  domain
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 2.44 seconds

$ nmap -p 32400 redactedIP
Starting Nmap 6.40 ( http://nmap.org ) at 2015-01-13 15:56 CST
Nmap scan report for redactedIP.dhcp.krny.ne.charter.com (redactedIP)
Host is up (0.000094s latency).
PORT      STATE SERVICE
32400/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 1.08 seconds

$ sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1253/mysqld
tcp        0      0 0.0.0.0:32400           0.0.0.0:*               LISTEN      844/Plex Media Serv
tcp        0      0 0.0.0.0:32401           0.0.0.0:*               LISTEN      844/Plex Media Serv
tcp        0      0 0.0.0.0:32469           0.0.0.0:*               LISTEN      1701/Plex DLNA     Serv
tcp        0      0 192.168.5.1:53          0.0.0.0:*               LISTEN      1228/named
tcp        0      0 redacted:53        0.0.0.0:*               LISTEN      1228/named
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      1228/named
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1186/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1562/exim4
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      1228/named
tcp        0      0 0.0.0.0:56222           0.0.0.0:*               LISTEN      938/Plex Plug-in [c
tcp        0      0 0.0.0.0:1696            0.0.0.0:*               LISTEN      1701/Plex DLNA Serv
tcp6       0      0 :::80                   :::*                    LISTEN      1742/apache2
tcp6       0      0 :::53                   :::*                    LISTEN      1228/named
tcp6       0      0 :::22                   :::*                    LISTEN      1186/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      1562/exim4
tcp6       0      0 ::1:953                 :::*                    LISTEN      1228/named
tcp6       0      0 :::443                  :::*                    LISTEN      1742/apache2
udp        0      0 0.0.0.0:37232           0.0.0.0:*                           763/avahi-daemon: r
udp        0      0 127.0.0.1:47592         0.0.0.0:*                           844/Plex Media Serv
udp        0      0 0.0.0.0:6645            0.0.0.0:*                           968/dhclient
udp        0      0 127.0.0.1:53757         0.0.0.0:*                           844/Plex Media Serv
udp        0      0 0.0.0.0:35487           0.0.0.0:*                           1189/dhcpd
udp        0      0 192.168.5.1:36008       0.0.0.0:*                           844/Plex Media Serv
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           763/avahi-daemon: r
udp        0      0 0.0.0.0:1550            0.0.0.0:*                           1701/Plex DLNA Serv
udp        0      0 0.0.0.0:42527           0.0.0.0:*                           1701/Plex DLNA Serv
udp        0      0 0.0.0.0:40481           0.0.0.0:*                           1701/Plex DLNA Serv
udp        0      0 redacted:60984     0.0.0.0:*                           844/Plex Media Serv
udp        0      0 0.0.0.0:32410           0.0.0.0:*                           844/Plex Media Serv
udp        0      0 0.0.0.0:32413           0.0.0.0:*                           844/Plex Media Serv
udp        0      0 0.0.0.0:32414           0.0.0.0:*                           844/Plex Media Serv
udp        0      0 redacted:57183     0.0.0.0:*                           844/Plex Media Serv
udp        0      0 0.0.0.0:1900            0.0.0.0:*                           1701/Plex DLNA Serv
udp        0      0 0.0.0.0:4096            0.0.0.0:*                           1701/Plex DLNA Serv
udp        0      0 192.168.5.1:51220       0.0.0.0:*                           844/Plex Media Serv
udp        0      0 192.168.5.1:53          0.0.0.0:*                           1228/named
udp        0      0 redacted:53        0.0.0.0:*                           1228/named
udp        0      0 127.0.0.1:53            0.0.0.0:*                           1228/named
udp        0      0 0.0.0.0:67              0.0.0.0:*                           1189/dhcpd
udp        0      0 0.0.0.0:68              0.0.0.0:*                           968/dhclient
udp6       0      0 :::60075                :::*                                763/avahi-daemon: r
udp6       0      0 :::5353                 :::*                                763/avahi-daemon: r
udp6       0      0 :::54946                :::*                                1189/dhcpd
udp6       0      0 :::53                   :::*                                1228/named
udp6       0      0 :::20752                :::*                                968/dhclient


$ sudo iptables -L -v
Chain INPUT (policy DROP 99 packets, 11532 bytes)
 pkts bytes target     prot opt in     out     source               destination
 6801  718K ACCEPT     all  --  lo     any     anywhere             anywhere
 7720  822K ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
   80  4120 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssh
  264 13764 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:http
    6   304 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:https
   11   560 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:32400

Chain FORWARD (policy ACCEPT 199 packets, 31384 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 86 packets, 9450 bytes)
 pkts bytes target     prot opt in     out     source               destination

运行tcpdump -i (interface) 'tcp port 32400'在内部接口(eth1)、环回(lo)和外部接口(p10p1)上,该接口直接连接到调制解调器,并且它与万维网之间没有其他路由器,并得到以下总结结果:

  • eth1
    • 从网络内部:捕获多个数据包,并由过滤器接收,但有 0 个数据包被内核丢弃。
    • 来自外部网络:无
    • 来自网络内部或外部:无
  • p10p1
    • 来自网络内部:无
    • 来自外部网络:捕获多个数据包,被过滤器接收,其中 0 个被内核丢弃。

答案1

好吧,伙计们,我知道这会是一件简单的事情,我几乎不好意思承认这一点,但为了完整起见,下面是发生的事情。我使用 iptables-persistent 保存/重新加载 iptables。通过命令行添加规则时,规则会添加到“filter”表中,但不会添加到“nat”表中,因此虽然相关端口在“filter”中打开,但它们在“nat”中没有打开。我将规则添加到“nat”表中,重新启动,一切正常。

感谢大家的帮助,抱歉,这是一个非常简单的解决方案。这是我的“/etc/iptables/rules.v4”文件,供任何想要查看的人查看:

$ cat /etc/iptables/rules.v4
# Generated by iptables-save v1.4.21 on Sat Jan 10 14:34:25 2015
*filter
:INPUT DROP [438:49434]
:FORWARD ACCEPT [4727:2251391]
:OUTPUT ACCEPT [746:117598]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32400 -j ACCEPT
COMMIT
# Completed on Sat Jan 10 14:34:25 2015
# Generated by iptables-save v1.4.21 on Sat Jan 10 14:34:25 2015
*nat
:PREROUTING ACCEPT [13673:1753542]
:INPUT DROP [193:33460]
:OUTPUT ACCEPT [942:175333]
:POSTROUTING ACCEPT [331:86274]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32400 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A POSTROUTING -o p10p1 -j MASQUERADE
COMMIT
# Completed on Sat Jan 10 14:34:25 2015
# Generated by iptables-save v1.4.21 on Sat Jan 10 14:34:25 2015
*mangle
:PREROUTING ACCEPT [114993:38355797]
:INPUT ACCEPT [27211:3683353]
:FORWARD ACCEPT [87622:34663068]
:OUTPUT ACCEPT [18739:2989889]
:POSTROUTING ACCEPT [112370:38117303]
COMMIT
# Completed on Sat Jan 10 14:34:25 2015

答案2

我能想到的只有从不同主机和接口(lo0、eth、wlan)进行数据包跟踪(tcpdump、wireshark)和 netcat 故障排除。您需要隔离问题,因为它目前尚无意义。

它来自客户端、服务器或网关。希望这能有所帮助。

相关内容