从过去的两天开始,我一直在努力解决一个奇怪的问题,没有找到与我的问题相关的答案,之前一切都运行良好,但突然它停止了。
问题仅存在于我的客户端系统上,在任何其他系统上一切正常。我尝试使用代理 201.17.10.12:11111 进行 curl 请求,但失败并显示“连接超时”。wget、ssh 在客户端服务器上也失败。nmap 和 ping 有效。
我检查了netstat -nputwcurl 请求后,它显示连接处于 SYN_SENT 状态,也用 tcpdump 进行了分析,结果是
$ tcpdump host 201.17.10.12 -w packets &
$ curl -x http://201.17.10.12:11111 http://www.example.com
curl: (7) Failed to connect to 201.17.10.12 port 11111: Connection timed out
$ tcpdump -nn -r packets | less
22:04:00.556502 IP 10.2.2.57.62544 > 201.17.10.12.11111: Flags [S], seq 2069349153, win 29200, options [mss 1460,sackOK,TS val 2550685 ecr 0,nop,wscale 7], length 0
22:04:01.556560 IP 10.2.2.57.62544 > 201.17.10.12.11111: Flags [S], seq 2069349153, win 29200, options [mss 1460,sackOK,TS val 2550936 ecr 0,nop,wscale 7], length 0
22:04:03.560552 IP 10.2.2.57.62544 > 201.17.10.12.11111: Flags [S], seq 2069349153, win 29200, options [mss 1460,sackOK,TS val 2551437 ecr 0,nop,wscale 7], length 0
22:04:07.572559 IP 10.2.2.57.62544 > 201.17.10.12.11111: Flags [S], seq 2069349153, win 29200, options [mss 1460,sackOK,TS val 2552440 ecr 0,nop,wscale 7], length 0
22:04:15.588592 IP 10.2.2.57.62544 > 201.17.10.12.11111: Flags [S], seq 2069349153, win 29200, options [mss 1460,sackOK,TS val 2554444 ecr 0,nop,wscale 7], length 0
22:04:31.604579 IP 10.2.2.57.62544 > 201.17.10.12.11111: Flags [S], seq 2069349153, win 29200, options [mss 1460,sackOK,TS val 2558448 ecr 0,nop,wscale 7], length 0
22:05:03.668547 IP 10.2.2.57.62544 > 201.17.10.12.11111: Flags [S], seq 2069349153, win 29200, options [mss 1460,sackOK,TS val 2566464 ecr 0,nop,wscale 7], length 0
~
但现在如果检查nmap,它会显示响应
$ nmap -sS -Pn -p 11111 -T4 -vv --reason -oN nmap.results 201.17.10.12
Starting Nmap 6.40 ( http://nmap.org ) at 2017-05-18 22:03 IST
Initiating Parallel DNS resolution of 1 host. at 22:03
Completed Parallel DNS resolution of 1 host. at 22:03, 0.41s elapsed
Initiating SYN Stealth Scan at 22:03
Scanning 201.17.10.12 (201.17.10.12) [1 port]
Discovered open port 11111/tcp on 201.17.10.12
Completed SYN Stealth Scan at 22:03, 0.21s elapsed (1 total ports)
Nmap scan report for 201.17.10.12 (201.17.10.12)
Host is up, received user-set (0.16s latency).
Scanned at 2017-05-18 22:03:23 IST for 0s
PORT STATE SERVICE REASON
11111/tcp open unknown syn-ack
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds
Raw packets sent: 1 (44B) | Rcvd: 1 (44B)
防火墙和 apparmor 未在客户端和代理服务器(Ubuntu 14.04)上运行。请帮忙,因为我现在想不通,如果 nmap/ping 显示一切正常,那么为什么在使用代理时无法连接,我该怎么做才能解决这个问题?
编辑1 使用 -vv 进行 curl 显示:
$ curl -vv -x http://201.17.10.12:11111 http://www.google.com
* Rebuilt URL to: http://www.google.com/
* Hostname was NOT found in DNS cache
* Trying 201.17.10.12...
* connect to 201.17.10.12 port 11111 failed: Connection timed out
* Failed to connect to 201.17.10.12 port 11111: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to 201.17.10.12 port 11111: Connection timed out
编辑2:
我刚刚注意到,我在客户端使用的任何程序,ssh/wget/curl,都会发生这种情况。只有 nmap 和 ping 有效。如果我尝试连接到服务器的任何非开放端口,它会立即退出并显示消息
$ ssh [email protected] -p 32
ssh: connect to host 201.17.10.12 port 32: Connection refused
但是如果尝试连接到任何开放/监听端口,它会等到“连接超时”使用 nmap 检查端口 32 显示状态:已关闭,原因:重置。使用 nmap 检查开放端口 22 显示状态:打开,原因:syn-ack。意味着 nmap 正在正确获取 syn-ack 响应,无论其他程序是否未收到响应或无法读取响应,并等待直到发生超时。
iptables -L -v -n服务器的输出
$ iptables -L -v -n
Chain INPUT (policy ACCEPT 2334K packets, 1925M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2605K packets, 778M bytes)
pkts bytes target prot opt in out source destination
iptables -L -v -n客户端的输出
$ iptables -L -v -n
Chain INPUT (policy ACCEPT 7219K packets, 1845M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 8616K packets, 1288M bytes)
pkts bytes target prot opt in out source destination