我在端口 8000 上运行 sshd,运行在新安装的普通 Linux Mint 17.2 Rafaela 上。
$ sudo netstat -tnlp | grep :8000
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN 839/sshd
tcp6 0 0 :::8000 :::* LISTEN 839/sshd
$
我可以从我的电脑通过 ssh 连接到本地主机上的自身。对于 也一样ssh -p 8000 127.0.0.1。
$ ssh -p 8000 localhost
The authenticity of host '[localhost]:8000 ([127.0.0.1]:8000)' can't be established.
ECDSA key fingerprint is 0d:bb:dd:87:b2:4a:72:3a:97:de:7d:2d:fe:52:05:6d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:8000' (ECDSA) to the list of known hosts.
mudd@localhost's password:
我已将路由器上的端口 8000 转发到我的 PC。我使用以下方法验证了这一点SSH服务器连接测试。它能够连接到我的电脑并检索 sshd 指纹。
Connected to myhost.duckdns.org:8000
Server fingerprint is 2EA4035592EF0D0BE8527A6849BE42D5
/var/log/auth.log 中的以下日志消息证实了这一点。
Sep 5 18:47:21 desktop sshd[4442]: Received disconnect from 50.116.26.68: 11: PECL/ssh2 (http://pecl.php.net/packages/ssh2) [preauth]
但如果我在 PC 上使用相同的主机名和端口,则无法连接。连接被拒绝时没有日志消息。
$ ssh -vvv -p 8000 myhost.duckdns.org
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to myhost.duckdns.org [111.222.333.444] port 8000.
debug1: connect to address 111.222.333.444 port 8000: Connection refused
ssh: connect to host myhost.duckdns.org port 8000: Connection refused
$
我没有运行UFW防火墙。
$ sudo ufw status
Status: inactive
$
以下是我的 ssh_conf 中的非注释行:
Port 8000
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 3600
ServerKeyBits 1024
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
以下是我的 ssh_conf 中的非注释行:
Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
我sudo tcpdump port 8000在测试时运行并得到以下结果SSH服务器连接测试。
20:34:25.412135 IP li477-68.members.linode.com.50538 > 192.168.10.10.8000: Flags [S], seq 569792316, win 29200, options [mss 1460,sackOK,TS val 522115066 ecr 0,nop,wscale 7], length 0
20:34:25.412181 IP 192.168.10.10.8000 > li477-68.members.linode.com.50538: Flags [S.], seq 1436050940, ack 569792317, win 28960, options [mss 1460,sackOK,TS val 3115491 ecr 522115066,nop,wscale 7], length 0
20:34:25.464245 IP li477-68.members.linode.com.50538 > 192.168.10.10.8000: Flags [.], ack 1, win 229, options [nop,nop,TS val 522115082 ecr 3115491], length 0
20:34:25.464893 IP li477-68.members.linode.com.50538 > 192.168.10.10.8000: Flags [P.], seq 1:28, ack 1, win 229, options [nop,nop,TS val 522115082 ecr 3115491], length 27
20:34:25.464938 IP 192.168.10.10.8000 > li477-68.members.linode.com.50538: Flags [.], ack 28, win 227, options [nop,nop,TS val 3115504 ecr 522115082], length 0
20:34:25.488193 IP 192.168.10.10.8000 > li477-68.members.linode.com.50538: Flags [P.], seq 1:44, ack 28, win 227, options [nop,nop,TS val 3115510 ecr 522115082], length 43
20:34:25.489932 IP 192.168.10.10.8000 > li477-68.members.linode.com.50538: Flags [.], seq 44:1492, ack 28, win 227, options [nop,nop,TS val 3115511 ecr 522115082], length 1448
20:34:25.541411 IP li477-68.members.linode.com.50538 > 192.168.10.10.8000: Flags [.], ack 44, win 229, options [nop,nop,TS val 522115105 ecr 3115510], length 0
20:34:25.541481 IP 192.168.10.10.8000 > li477-68.members.linode.com.50538: Flags [P.], seq 1492:1692, ack 28, win 227, options [nop,nop,TS val 3115523 ecr 522115105], length 200
20:34:25.545375 IP li477-68.members.linode.com.50538 > 192.168.10.10.8000: Flags [P.], seq 28:676, ack 44, win 229, options [nop,nop,TS val 522115105 ecr 3115510], length 648
20:34:25.581765 IP 192.168.10.10.8000 > li477-68.members.linode.com.50538: Flags [.], ack 676, win 237, options [nop,nop,TS val 3115534 ecr 522115105], length 0
20:34:25.596528 IP li477-68.members.linode.com.50538 > 192.168.10.10.8000: Flags [.], ack 1692, win 274, options [nop,nop,TS val 522115122 ecr 3115511], length 0
20:34:25.635013 IP li477-68.members.linode.com.50538 > 192.168.10.10.8000: Flags [P.], seq 676:948, ack 1692, win 274, options [nop,nop,TS val 522115133 ecr 3115534], length 272
20:34:25.635043 IP 192.168.10.10.8000 > li477-68.members.linode.com.50538: Flags [.], ack 948, win 247, options [nop,nop,TS val 3115547 ecr 522115133], length 0
20:34:25.652925 IP 192.168.10.10.8000 > li477-68.members.linode.com.50538: Flags [P.], seq 1692:2540, ack 948, win 247, options [nop,nop,TS val 3115551 ecr 522115133], length 848
20:34:25.722014 IP li477-68.members.linode.com.50538 > 192.168.10.10.8000: Flags [P.], seq 948:964, ack 2540, win 296, options [nop,nop,TS val 522115159 ecr 3115551], length 16
20:34:25.761772 IP 192.168.10.10.8000 > li477-68.members.linode.com.50538: Flags [.], ack 964, win 247, options [nop,nop,TS val 3115579 ecr 522115159], length 0
20:34:25.814129 IP li477-68.members.linode.com.50538 > 192.168.10.10.8000: Flags [P.], seq 964:1016, ack 2540, win 296, options [nop,nop,TS val 522115187 ecr 3115579], length 52
20:34:25.814202 IP 192.168.10.10.8000 > li477-68.members.linode.com.50538: Flags [.], ack 1016, win 247, options [nop,nop,TS val 3115592 ecr 522115187], length 0
20:34:25.814396 IP 192.168.10.10.8000 > li477-68.members.linode.com.50538: Flags [P.], seq 2540:2592, ack 1016, win 247, options [nop,nop,TS val 3115592 ecr 522115187], length 52
20:34:25.868770 IP li477-68.members.linode.com.50538 > 192.168.10.10.8000: Flags [P.], seq 1016:1116, ack 2592, win 296, options [nop,nop,TS val 522115203 ecr 3115592], length 100
20:34:25.869212 IP li477-68.members.linode.com.50538 > 192.168.10.10.8000: Flags [F.], seq 1116, ack 2592, win 296, options [nop,nop,TS val 522115203 ecr 3115592], length 0
20:34:25.870699 IP 192.168.10.10.8000 > li477-68.members.linode.com.50538: Flags [F.], seq 2592, ack 1117, win 247, options [nop,nop,TS val 3115606 ecr 522115203], length 0
20:34:25.922969 IP li477-68.members.linode.com.50538 > 192.168.10.10.8000: Flags [.], ack 2593, win 296, options [nop,nop,TS val 522115220 ecr 3115606], length 0
这就是我跑步时得到的一切ssh -vvv -p 8000 myhost.duckdns.org。
20:36:38.940822 IP 192.168.10.10.35369 > fl-71-53-144-158.dhcp.embarqhsd.net.8000: Flags [S], seq 1068206726, win 29200, options [mss 1460,sackOK,TS val 3148873 ecr 0,nop,wscale 7], length 0
20:36:38.941219 IP fl-71-53-144-158.dhcp.embarqhsd.net.8000 > 192.168.10.10.35369: Flags [R.], seq 0, ack 1068206727, win 0, length 0
有什么建议么??
答案1
您将无法从作为 NAT 目标的主机连接到经过 NAT 处理的服务器名称。原因很简单,在这种情况下 NAT 破坏了 TCP/IP。只需浏览一下 TCP 级别发生的事情,您就会明白为什么它不应该工作:
- 从 192.168.10.10 您发送一个 SYN 数据包到 myhost.duckdns.org(外部 IP 地址)
- 该请求通过您的路由器并被 NAT 到 192.168.10.10:8000
- 192.168.10.10:8000 收到原始源 IP 为 192.168.10.10 的请求(因为进行 NAT 的路由器仅重写了目的地)
- 192.168.10.10:8000 回复 192.168.10.10(请求者)
- 请求者将忽略来自 192.168.10.10:8000 的响应,因为它期待来自 myhost.duckdns.org(外部 IP 地址)的响应
简而言之,这就是这种行为背后的原因。可能的解决方案之一是在路由器上定义一个伪装规则,以确保如果内部网络中的某人尝试与 NAT 端口通信,他们将在两个方向上通过路由器。另一种选择是在本地 /etc/hosts 中使用 127.0.0.1 定义 myhost.duckdns.org。