我刚刚从我的 AWS EC2 实例创建了一个新的“带密码的 SSH 密钥”,用于 github 私有存储库访问。现在我可以正常克隆我的存储库。但问题开始出现,我无法访问任何 https。它显示拒绝连接。甚至 sudo apt-get update 命令也停止工作,我也无法从我的代码访问 AWS S3 资源。它给了我相同类型的错误。
有人可以建议我解决这个问题吗?
我在测试 https 站点时出错(不确定是否应该这样测试)
ubuntu@ip-10-0-1-126:~$ curl -k https://www.facebook.com/ curl: (7)
Failed to connect to www.facebook.com port 443: Connection refused
当我尝试安装 golang 包时出现另一个错误。
ubuntu@ip-10-0-1-126:~$ go get -u -v github.com/Jeffail/tunny
github.com/Jeffail/tunny (download)
cd /home/ubuntu/go/src/github.com/Jeffail/tunny
git pull --ff-only fatal: unable to access 'https://github.com/Jeffail/tunny/': Failed to connect to github.com port 443: Connection refused
package github.com/Jeffail/tunny: exit status 1
ubuntu@ip-10-0-1-126:~$ go get -v gopkg.in/yaml.v2
Fetching https://gopkg.in/yaml.v2?go-get=1 https fetch failed:
Get https://gopkg.in/yaml.v2?go-get=1: dial tcp 35.196.143.184:443: connect: connection refused package gopkg.in/yaml.v2: unrecognized import path "gopkg.in/yaml.v2" (https fetch: Get https://gopkg.in/yaml.v2?go-get=1: dial tcp 35.196.143.184:443: connect: connection refused)
我的 sudo apt-get update 命令的输出:
ubuntu@ip-10-0-1-126:~$ sudo apt-get update
Err:1 http://security.ubuntu.com/ubuntu bionic-security InRelease Could not connect to security.ubuntu.com:80 (91.189.88.149). - connect (111: Connection refused)
Cannot initiate the connection to security.ubuntu.com:80 (2001:67c:1562::19). - connect (101: Network is unreachable) Could not connect to security.ubuntu.com:80 (91.189.91.26). - connect (111: Connection refused)
...
W: Failed to fetch http://ap-south-1.ec2.archive.ubuntu.com/ubuntu/dists/bionic-updates/InRelease
Unable to connect to ap-south-1.ec2.archive.ubuntu.com
...
答案1
看起来你已经拥有了:
本地防火墙(
iptables
)禁止出站流量到 HTTPS。运行iptables -L OUTPUT
以查看您获得了哪些规则。安全组您的实例禁止出站访问 HTTPS。请在 AWS 控制台中检查。
除非您同时还更改了其他内容,否则向您的实例添加 SSH 密钥不会产生这样的影响。
希望有帮助:)
答案2
根据评论 - 您的预路由必须排除本地流量,即
iptables -t nat -A PREROUTING -p tcp ! --source 10.0.1.0/24 --dport 80 -j DNAT --to-destination 10.0.1.126:80
前面的感叹号来源(! --source 10.0.1.0/24
)确保该规则仅针对来自外部的流量进行评估,而不针对源自 VPC 的流量进行评估。
希望有帮助:)