我遇到了一个问题,一个用户无法访问 Ubuntu 22.04 网络服务器(他收到 ERR_CONNECTION_RESET),显然是因为防火墙阻止了他的连接。但是他可以访问同一网络上的另一台服务器,该服务器的防火墙配置几乎相同。
我们没有收到其他类似问题的报告。未安装 Fail2ban。未配置 IP 特定规则。
有人对我下一步应该去哪里有什么建议吗?
这是来自 ufw 日志的一个示例块:
Aug 22 12:38:45 docs kernel: [4546186.725262] [UFW BLOCK] IN=eth0 OUT= MAC=52:54:00:5c:a4:04:02:00:00:00:00:01:86:dd SRC=2a01:cb06:b871:e0e0:0000:0010:1e4a:c601 DST=2a00:1098:00a4:0000:0000:0000:0000:0001 LEN=60 TC=0 HOPLIMIT=48 FLOWLBL=0 PROTO=TCP SPT=49424 DPT=443 WINDOW=0 RES=0x00 ACK RST URGP=0
在服务器上他不能访问,ufw的配置如下:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip
To Action From
-- ------ ----
22/tcp ALLOW IN Anywhere
80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
22/tcp (v6) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
他所服务的服务器能访问几乎相同:
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22 LIMIT IN Anywhere
80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
22 (v6) LIMIT IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
以下是问题服务器上 ip6tables 的输出,希望对您有帮助:
Chain INPUT (policy DROP 3781 packets, 243K bytes)
num pkts bytes target prot opt in out source destination
1 817K 752M ufw6-before-logging-input all * * ::/0 ::/0
2 817K 752M ufw6-before-input all * * ::/0 ::/0
3 3815 245K ufw6-after-input all * * ::/0 ::/0
4 3781 243K ufw6-after-logging-input all * * ::/0 ::/0
5 3781 243K ufw6-reject-input all * * ::/0 ::/0
6 3781 243K ufw6-track-input all * * ::/0 ::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ufw6-before-logging-forward all * * ::/0 ::/0
2 0 0 ufw6-before-forward all * * ::/0 ::/0
3 0 0 ufw6-after-forward all * * ::/0 ::/0
4 0 0 ufw6-after-logging-forward all * * ::/0 ::/0
5 0 0 ufw6-reject-forward all * * ::/0 ::/0
6 0 0 ufw6-track-forward all * * ::/0 ::/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 48140 8890K ufw6-before-logging-output all * * ::/0 ::/0
2 48140 8890K ufw6-before-output all * * ::/0 ::/0
3 5920 553K ufw6-after-output all * * ::/0 ::/0
4 5920 553K ufw6-after-logging-output all * * ::/0 ::/0
5 5920 553K ufw6-reject-output all * * ::/0 ::/0
6 5920 553K ufw6-track-output all * * ::/0 ::/0
Chain ufw6-after-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-after-input (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ufw6-skip-to-policy-input udp * * ::/0 ::/0 udp dpt:137
2 0 0 ufw6-skip-to-policy-input udp * * ::/0 ::/0 udp dpt:138
3 17 1088 ufw6-skip-to-policy-input tcp * * ::/0 ::/0 tcp dpt:139
4 17 1088 ufw6-skip-to-policy-input tcp * * ::/0 ::/0 tcp dpt:445
5 0 0 ufw6-skip-to-policy-input udp * * ::/0 ::/0 udp dpt:546
6 0 0 ufw6-skip-to-policy-input udp * * ::/0 ::/0 udp dpt:547
Chain ufw6-after-logging-forward (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw6-after-logging-input (1 references)
num pkts bytes target prot opt in out source destination
1 60 4000 LOG all * * ::/0 ::/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw6-after-logging-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-after-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-before-forward (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all * * ::/0 ::/0 rt type:0
2 0 0 ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED
3 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 1
4 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 2
5 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 3
6 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 4
7 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128
8 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 129
9 0 0 ufw6-user-forward all * * ::/0 ::/0
Chain ufw6-before-input (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all lo * ::/0 ::/0
2 0 0 DROP all * * ::/0 ::/0 rt type:0
3 95480 712M ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED
4 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 129
5 106 6468 ufw6-logging-deny all * * ::/0 ::/0 ctstate INVALID
6 106 6468 DROP all * * ::/0 ::/0 ctstate INVALID
7 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 1
8 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 2
9 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 3
10 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 4
11 11 620 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128
12 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 133 HL match HL == 255
13 706K 40M ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 134 HL match HL == 255
14 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 135 HL match HL == 255
15 4338 278K ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 136 HL match HL == 255
16 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 141 HL match HL == 255
17 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 142 HL match HL == 255
18 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 130
19 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 131
20 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 132
21 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 143
22 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 148 HL match HL == 255
23 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 149 HL match HL == 255
24 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 151 HL match HL == 1
25 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 152 HL match HL == 1
26 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 153 HL match HL == 1
27 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 144
28 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 145
29 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 146
30 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 147
31 0 0 ACCEPT udp * * fe80::/10 fe80::/10 udp spt:547 dpt:546
32 0 0 ACCEPT udp * * ::/0 ff02::fb udp dpt:5353
33 0 0 ACCEPT udp * * ::/0 ff02::f udp dpt:1900
34 10411 723K ufw6-user-input all * * ::/0 ::/0
Chain ufw6-before-logging-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-before-logging-input (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-before-logging-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-before-output (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all * lo ::/0 ::/0
2 0 0 DROP all * * ::/0 ::/0 rt type:0
3 37882 8025K ACCEPT all * * ::/0 ::/0 ctstate RELATED,ESTABLISHED
4 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 1
5 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 2
6 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 3
7 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 4
8 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 128
9 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 129
10 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 133 HL match HL == 255
11 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 136 HL match HL == 255
12 4338 312K ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 135 HL match HL == 255
13 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 134 HL match HL == 255
14 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 141 HL match HL == 255
15 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 142 HL match HL == 255
16 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 130
17 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 131
18 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 132
19 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 143
20 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 148 HL match HL == 255
21 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmptype 149 HL match HL == 255
22 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 151 HL match HL == 1
23 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 152 HL match HL == 1
24 0 0 ACCEPT icmpv6 * * fe80::/10 ::/0 ipv6-icmptype 153 HL match HL == 1
25 5920 553K ufw6-user-output all * * ::/0 ::/0
Chain ufw6-logging-allow (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] "
Chain ufw6-logging-deny (1 references)
num pkts bytes target prot opt in out source destination
1 35 2100 RETURN all * * ::/0 ::/0 ctstate INVALID limit: avg 3/min burst 10
2 5 300 LOG all * * ::/0 ::/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] "
Chain ufw6-reject-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-reject-input (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-reject-output (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-skip-to-policy-forward (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 DROP all * * ::/0 ::/0
Chain ufw6-skip-to-policy-input (6 references)
num pkts bytes target prot opt in out source destination
1 34 2176 DROP all * * ::/0 ::/0
Chain ufw6-skip-to-policy-output (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all * * ::/0 ::/0
Chain ufw6-track-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-track-input (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-track-output (1 references)
num pkts bytes target prot opt in out source destination
1 563 45040 ACCEPT tcp * * ::/0 ::/0 ctstate NEW
2 5357 507K ACCEPT udp * * ::/0 ::/0 ctstate NEW
Chain ufw6-user-forward (1 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-user-input (1 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22
2 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80
3 0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:80
4 146 10840 ACCEPT tcp * * ::/0 ::/0 tcp dpt:443
5 0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:443
Chain ufw6-user-limit (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
2 0 0 REJECT all * * ::/0 ::/0 reject-with icmp6-port-unreachable
Chain ufw6-user-limit-accept (0 references)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all * * ::/0 ::/0
Chain ufw6-user-logging-forward (0 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-user-logging-input (0 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-user-logging-output (0 references)
num pkts bytes target prot opt in out source destination
Chain ufw6-user-output (1 references)
num pkts bytes target prot opt in out source destination