我有 3 台服务器:
- 服务器#1运行MongoDB数据库等
- 服务器 #2 运行一些连接到服务器 #1 的 mongodb 的应用程序,一切正常
- 服务器 #3 是一台新服务器,更多应用程序将连接到服务器 #1 的 mongodb
我的问题出在服务器 #3 上,我尝试让应用程序连接到服务器 #1 的 mongo,但没有成功。我一直在查看服务器 #2 以作参考,并尝试在那里复制配置,但不知何故,我似乎遗漏了一些东西。
最初我注意到防火墙已启动,甚至不允许传入的 HTTP 流量,因此我禁用了 UFW:
sudo ufw disable
sudo ufw status verbose
Status: inactive
然后我注意到没有路由可以到达服务器 #1,它的 LAN IP 为10.100.116.65,因为我无法 ping 通它:
sudo route -n
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 [GATEWAY-IP] 0.0.0.0 UG 0 0 0 enp1s0f0
[SERVER-IP] 0.0.0.0 255.255.255.248 U 0 0 0 enp1s0f0
我尝试添加路线,但设备“未启动”:
sudo ip route add 10.100.116.0/24 via 0.0.0.0 dev enp1s0f1
Error: Device for nexthop is not up.
所以我检查了:
ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp1s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 0c:c4:7a:18:64:58 brd ff:ff:ff:ff:ff:ff
3: enp1s0f1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 0c:c4:7a:18:64:59 brd ff:ff:ff:ff:ff:ff
然后提高它:
sudo ifconfig enp1s0f1 up
ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp1s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 0c:c4:7a:18:64:58 brd ff:ff:ff:ff:ff:ff
3: enp1s0f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether 0c:c4:7a:18:64:59 brd ff:ff:ff:ff:ff:ff
现在它已启动,我添加了一条到达服务器#1的路线:
sudo ip route add 10.100.116.0/24 via 0.0.0.0 dev enp1s0f1
sudo route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 [GATEWAY-IP] 0.0.0.0 UG 0 0 0 enp1s0f0
10.100.116.0 0.0.0.0 255.255.255.0 U 0 0 0 enp1s0f1
[SERVER-IP] 0.0.0.0 255.255.255.248 U 0 0 0 enp1s0f0
但我仍然无法 ping 通服务器 #1:
ping 10.100.116.65
PING 10.100.116.65 (10.100.116.65) 56(84) bytes of data.
From X.X.X.X icmp_seq=1 Destination Host Unreachable
From X.X.X.X icmp_seq=2 Destination Host Unreachable
From X.X.X.X icmp_seq=3 Destination Host Unreachable
From X.X.X.X icmp_seq=4 Destination Host Unreachable
^C
--- 10.100.116.65 ping statistics ---
6 packets transmitted, 0 received, +4 errors, 100% packet loss, time 5102ms
我继续将服务器 #2 的配置与服务器 #3 的配置进行比较,发现服务器 #3 尚未分配 LAN IP enp1s0f1:
ifconfig
enp1s0f0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet X.X.X.X netmask 255.255.255.248 broadcast X.X.X.X
inet6 fe80::ec4:7aff:fe18:6458 prefixlen 64 scopeid 0x20<link>
ether 0c:c4:7a:18:64:58 txqueuelen 1000 (Ethernet)
RX packets 7470666 bytes 2108978738 (2.1 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8563092 bytes 6460993288 (6.4 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xe0000000-e007ffff
enp1s0f1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::ec4:7aff:fe18:6459 prefixlen 64 scopeid 0x20<link>
ether 0c:c4:7a:18:64:59 txqueuelen 1000 (Ethernet)
RX packets 125640 bytes 25067378 (25.0 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1630 bytes 92016 (92.0 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xe0080000-e00fffff
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 4317856 bytes 524128762 (524.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4317856 bytes 524128762 (524.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
所以我在netplan文件中添加了一个:
sudo pico /etc/netplan/01-netcfg.yaml
network:
version: 2
renderer: networkd
ethernets:
id0:
match:
macaddress: 0c:c4:7a:18:64:58
addresses: [X.X.X.X/29]
gateway4: X.X.X.X
nameservers:
addresses: [8.8.8.8,8.8.4.4]
# i added these 2 lines
enp1s0f1:
addresses: [ 10.100.116.62/24 ]
然后保存并应用sudo netplan apply,并用确认ifconfig:
ifconfig
enp1s0f0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet X.X.X.X netmask 255.255.255.248 broadcast X.X.X.X
inet6 fe80::ec4:7aff:fe18:6458 prefixlen 64 scopeid 0x20<link>
ether 0c:c4:7a:18:64:58 txqueuelen 1000 (Ethernet)
RX packets 7471402 bytes 2109059743 (2.1 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8563748 bytes 6461111312 (6.4 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xe0000000-e007ffff
enp1s0f1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.100.116.62 netmask 255.255.255.0 broadcast 10.100.116.255
inet6 fe80::ec4:7aff:fe18:6459 prefixlen 64 scopeid 0x20<link>
ether 0c:c4:7a:18:64:59 txqueuelen 1000 (Ethernet)
RX packets 149491 bytes 29787304 (29.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1975 bytes 111102 (111.1 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xe0080000-e00fffff
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 4331691 bytes 525564926 (525.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4331691 bytes 525564926 (525.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
最后终于取得了一些成功,我现在可以 ping 服务器 #1:
ping 10.100.116.65
PING 10.100.116.65 (10.100.116.65) 56(84) bytes of data.
64 bytes from 10.100.116.65: icmp_seq=1 ttl=64 time=0.094 ms
64 bytes from 10.100.116.65: icmp_seq=2 ttl=64 time=0.254 ms
64 bytes from 10.100.116.65: icmp_seq=3 ttl=64 time=0.221 ms
64 bytes from 10.100.116.65: icmp_seq=4 ttl=64 time=0.245 ms
64 bytes from 10.100.116.65: icmp_seq=5 ttl=64 time=0.248 ms
^C
--- 10.100.116.65 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4096ms
rtt min/avg/max/mdev = 0.094/0.212/0.254/0.061 ms
然而,重新启动应用程序后,当尝试连接服务器#1的mongo时会抛出一个错误,抱怨没有到主机的路由:
MONGODB | Error checking 10.100.116.65:27017: Mongo::Error::SocketError: Errno::EHOSTUNREACH: No route to host - connect(2) for 10.100.116.65:27017 (for 10.100.116.65:27017 (no TLS)) (on 10.100.116.65:27017)
我甚至重新启动了服务器以防万一,但这没有帮助。
我是一名开发人员,所以我对这一切有点不了解,所以我可能错过了一些显而易见的东西,但我不知道是什么,有人可以解释一下这一点吗?
编辑
我还查看了iptables服务器#1,它有一条接受来自服务器#2 的流量的规则,因此我也为服务器#3 添加了相同的规则:
sudo iptables -A INPUT -s 10.100.116.62/32 -m comment --comment server3 -j ACCEPT
我还在服务器 #3 的 iptables 中添加了一条规则来接受来自服务器 #1 的流量:
sudo iptables -A INPUT -s 10.100.116.65/32 -m comment --comment server1 -j ACCEPT
但我仍然遇到同样的错误。
答案1
好吧,最后我终于搞明白了,原来iptables规则顺序很重要,最后一条规则是阻止所有流量,所以当我在服务器#1中添加接受来自服务器#3的传入流量的规则时,我使用-A附加到列表末尾的规则,相反,我不得不删除它,再次添加它,使用-I它插入到阻止所有流量的最后一条规则之前,之后它就起作用了。