我在我拥有的 VPS(Debian 8.6)上遇到了奇怪的行为,老实说,我已经到了不知道如何进一步调查或修复它的地步。
据我所知,操作系统只能处理发往 IPv6 地址的传出请求,而不能处理发往 IPv4 地址的传出请求:
在 IPv4 上向 google 发送 curl 请求:
$ curl -v -4 google.be
* Rebuilt URL to: google.be/
* Hostname was NOT found in DNS cache
* Trying 172.217.17.67...
* connect to 172.217.17.67 port 80 failed: Connection timed out
* Failed to connect to google.be port 80: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to google.be port 80: Connection timed out
在 IPv4 上跟踪到 Google 的路由:
$ traceroute 172.217.17.67
traceroute to 172.217.17.67 (172.217.17.67), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
在 IPv6 上向 google 发送 curl 请求:
$ curl -v -6 google.be
* Rebuilt URL to: google.be/
* Hostname was NOT found in DNS cache
* Trying 2a00:1450:400e:802::2003...
* Connected to google.be (2a00:1450:400e:802::2003) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.38.0
> Host: google.be
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: http://www.google.be/
< Content-Type: text/html; charset=UTF-8
< Date: Sat, 01 Oct 2016 13:55:01 GMT
< Expires: Mon, 31 Oct 2016 13:55:01 GMT
< Cache-Control: public, max-age=2592000
* Server gws is not blacklisted
< Server: gws
< Content-Length: 218
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
<
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<TITLE>301 Moved</TITLE></HEAD><BODY>
<H1>301 Moved</H1>
The document has moved
<A HREF="http://www.google.be/">here</A>.
</BODY></HTML>
* Connection #0 to host google.be left intact
在 IPv6 上跟踪到 google 的路由:
$ traceroute 2a00:1450:400e:802::2003
traceroute to 2a00:1450:400e:802::2003 (2a00:1450:400e:802::2003), 30 hops max, 80 byte packets
1 v340.router1.dcga.ams.transip.net (2a01:7c8:aaac::2) 0.493 ms 0.409 ms 0.320 ms
2 30gigabitethernet1-3.core1.ams1.he.net (2001:7f8:1::a500:6939:1) 11.541 ms 11.581 ms 11.569 ms
3 amsix-router.google.com (2001:7f8:1::a501:5169:1) 1.531 ms 1.640 ms 1.509 ms
4 2001:4860:0:f8d::1 (2001:4860:0:f8d::1) 1.500 ms 2001:4860:0:f8c::1 (2001:4860:0:f8c::1) 1.794 ms 1.871 ms
5 2001:4860:0:1::15a9 (2001:4860:0:1::15a9) 1.774 ms 1.856 ms 2001:4860:0:1::15ad (2001:4860:0:1::15ad) 1.867 ms
6 ams16s21-in-x03.1e100.net (2a00:1450:400e:802::2003) 1.857 ms 1.606 ms 1.459 ms
然而奇怪的是,VPS 可以通过 IPv4 访问(Web 服务器和其他服务通过 IPv4 地址进行响应)。
据我所知,我没有针对传出连接的防火墙规则,这可能会导致这种情况:
$ sudo iptables -L -n -v
Chain INPUT (policy DROP 76 packets, 4352 bytes)
pkts bytes target prot opt in out source destination
4330 481K LOG all -- eth0 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix "BANDWIDTH_IN:"
664 79865 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
4116 465K ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10001
36 2405 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
47 3192 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:86
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp multiport dports 20,21
9 459 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
46 5141 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:25
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * eth0 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix "BANDWIDTH_OUT:"
0 0 LOG all -- eth0 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix "BANDWIDTH_IN:"
Chain OUTPUT (policy ACCEPT 7234 packets, 6355K bytes)
pkts bytes target prot opt in out source destination
6570 6275K LOG all -- * eth0 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix "BANDWIDTH_OUT:"
我的网络配置:
$ sudo ifconfig
eth0 Link encap:Ethernet HWaddr 52:54:00:xx:xx:xx
inet addr:95.170.xx.xx Bcast:95.170.xx.xx Mask:255.255.255.0
inet6 addr: 2a01:7c8:aaac:bb:5054:xx:xx:xx/64 Scope:Global
inet6 addr: fe80::5054:xx:xx:xx/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:309169854 errors:0 dropped:0 overruns:0 frame:0
TX packets:62960742 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:75197092341 (70.0 GiB) TX bytes:32195269170 (29.9 GiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:92231464 errors:0 dropped:0 overruns:0 frame:0
TX packets:92231464 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:13174664705 (12.2 GiB) TX bytes:13174664705 (12.2 GiB)
我在同一个托管服务提供商处还有另一个 VPS,并且没有出现任何问题。
答案1
你的问题不是你的出站数据包被阻止,但入站这些出站数据包引发的响应将被阻止。尝试添加如下规则
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
看看这是否能使事情正常运作。顺便说一句,用日志记录规则结束规则集总是一个好主意,这样您就可以看到链末端的内容以及被策略阻止的内容;例如
iptables -A INPUT -j LOG --log-prefix="INPUT DROP: "
这样,如果您发现自己无法做某件您认为应该能够做的事情,您就可以查看是否有任何流量被丢弃,这可能会导致问题。