我遇到一个问题,即 xRDP 无法响应发送到在安装了 GNOME GUI 的 Ubuntu Server 20.04 下在 OCP 中运行的 VM 实例的任何 RDP 请求(通过sudo tasksel install ubuntu-desktop)。该实例的 UFW 处于“非活动”状态,并且 VCN 安全列表配置为允许来自我的 NAT IP 的所有端口。
该实例成功接收了目标端口 3389 中的数据包,如在 OCP 实例上完成的以下捕获所示:
ubuntu@hitc-lab-vm1:~$ sudo tcpdump -nn -i ens3 port 3389
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
03:01:34.578853 IP <omitted>.56726 > 172.20.1.2.3389: Flags [S], seq 972912567, win 64240, options [mss 1460,nop,nop,sackOK], length 0
03:01:35.579071 IP <omitted>.56726 > 172.20.1.2.3389: Flags [S], seq 972912567, win 64240, options [mss 1460,nop,nop,sackOK], length 0
03:01:37.579039 IP <omitted>.56726 > 172.20.1.2.3389: Flags [S], seq 972912567, win 64240, options [mss 1460,nop,nop,sackOK], length 0
^C
3 packets captured
3 packets received by filter
0 packets dropped by kernel
如果我 cat /var/log/xrdp.log,我看不到任何关于会话请求的信息,即使数据包已经到达服务器:
ubuntu@hitc-lab-vm1:~$ sudo cat /var/log/xrdp.log
[20200922-02:39:22] [INFO ] address [0.0.0.0] port [3389] mode 1
[20200922-02:39:22] [INFO ] listening to port 3389 on 0.0.0.0
[20200922-02:39:22] [INFO ] xrdp_listen_pp done
[20200922-02:39:22] [DEBUG] Closed socket 7 (AF_INET6 :: port 3389)
[20200922-02:39:24] [INFO ] starting xrdp with pid 2426
[20200922-02:39:24] [INFO ] address [0.0.0.0] port [3389] mode 1
[20200922-02:39:24] [INFO ] listening to port 3389 on 0.0.0.0
[20200922-02:39:24] [INFO ] xrdp_listen_pp done
[20200922-02:40:03] [DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
[20200922-02:40:03] [INFO ] address [0.0.0.0] port [3389] mode 1
[20200922-02:40:03] [INFO ] listening to port 3389 on 0.0.0.0
[20200922-02:40:03] [INFO ] xrdp_listen_pp done
[20200922-02:40:03] [DEBUG] Closed socket 7 (AF_INET6 :: port 3389)
[20200922-02:40:05] [INFO ] starting xrdp with pid 2687
[20200922-02:40:05] [INFO ] address [0.0.0.0] port [3389] mode 1
[20200922-02:40:05] [INFO ] listening to port 3389 on 0.0.0.0
[20200922-02:40:05] [INFO ] xrdp_listen_pp done
xrdp-sesman 日志显示了非常相似的情况,但 sesman 进程的相关端口进入了本地主机:
ubuntu@hitc-lab-vm1:~$ sudo cat /var/log/xrdp-sesman.log
[20200922-02:39:22] [DEBUG] libscp initialized
[20200922-02:39:22] [DEBUG] Testing if xrdp-sesman can listen on 127.0.0.1 port 3350.
[20200922-02:39:22] [DEBUG] Closed socket 5 (AF_INET6 ::1 port 3350)
[20200922-02:39:22] [INFO ] starting xrdp-sesman with pid 2416
[20200922-02:39:22] [INFO ] listening to port 3350 on 127.0.0.1
[20200922-02:40:03] [INFO ] shutting down sesman 1
[20200922-02:40:03] [DEBUG] Closed socket 7 (AF_INET6 ::1 port 3350)
[20200922-02:40:03] [DEBUG] libscp initialized
[20200922-02:40:03] [DEBUG] Testing if xrdp-sesman can listen on 127.0.0.1 port 3350.
[20200922-02:40:03] [DEBUG] Closed socket 5 (AF_INET6 ::1 port 3350)
[20200922-02:40:03] [INFO ] starting xrdp-sesman with pid 2666
[20200922-02:40:03] [INFO ] listening to port 3350 on 127.0.0.1
如果我在 VMware 中启动 Ubuntu Server 20.04 VM,通过 taskel 安装 ubuntu-desktop,然后安装 xrdp,一切都会按预期工作。非常感谢任何帮助。
答案1
我向 Oracle 支持部门开了一张票来查看此问题并收到了以下答复:
Oracle 提供的映像已预先配置了防火墙规则,以使实例能够与实例的引导卷和块卷建立传出连接。有关更多信息,请参阅基本防火墙规则。UFW 可能会删除这些规则,以便在重新启动期间实例无法连接到引导卷和块卷。
要修改或添加新的防火墙规则,请更新 /etc/iptables/rules.v4 文件。此处对防火墙规则的修改将在重启后生效。
接下来,我重新配置了自定义 OCP/etc/iptables/rules.v4文件,以允许实例上的所有连接进出,并利用 VCN 安全列表来完成其工作:
-A INPUT -j ACCEPT -m comment --comment "Accept all incoming"
-A OUTPUT -j ACCEPT -m comment --comment "Accept all outgoing"
连接现在可按预期工作。实例中的连接现在受安全列表而非 IPTABLES 保护。
由于这是一个实验室环境,上述规则足以允许入站连接。在生产环境中,我将使用规则将 IP 和入站使用的端口列入白名单。不过,我并不喜欢为同一流量配置 2 个防火墙...