希望你们的集体智慧能够帮助我……
tl;dr - Ubuntu 服务器似乎打开了几个端口,但外部(LAN)世界都看不到它们 - 到底发生了什么?
更长:
我有一台无头 17.04 服务器,我想使用 VNC 连接它,但目前我遇到了麻烦。我使用两个客户端 - 都是 Windows 10,一个使用 RealVNC,一个使用 TightVNC。
我已经在我的 Ubuntu 机器上设置了 TightVNC 服务器,主要按照以下说明进行操作:https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-16-04,打算将 Xfce 作为桌面运行:
$ sudo apt install xfce4 xfce4-goodies tightvncserver
我已将 xstartup 文件更改为:
#!/bin/bash
xrdb $HOME/.Xresources
startxfce4 &
并授予可执行权限。
如果我使用以下方式启动服务器,tightvncserver我会得到:
New 'X' desktop is numbersix:1
Starting applications specified in /home/adam/.vnc/xstartup
Log file is /home/adam/.vnc/numbersix:1.log
nmap localhost给出:
Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-09 21:05 GMT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000076s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 986 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
5901/tcp open vnc-1
6001/tcp open X11:1
8000/tcp open http-alt
8001/tcp open vcom-tunnel
8010/tcp open xmpp
8080/tcp open http-proxy
9091/tcp open xmltec-xmlmail
nmap 192.168.1.6给出相同的结果。
我将服务器设置为 systemd 服务 -使用以下内容创建:/etc/systemd/system/[email protected]
[Unit]
Description=Start TightVNC server at startup
After=syslog.target network.target
[Service]
Type=forking
User=adam
PAMName=login
PIDFile=/home/adam/.vnc/%H:%i.pid
ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i
ExecStop=/usr/bin/vncserver -kill :%i
[Install]
WantedBy=multi-user.target
然后启动服务
$ sudo systemctl daemon-reload
$ sudo systemctl enable [email protected]
$ sudo systemctl start vncserver@1
一切似乎都有效。sudo systemctl status vncserver@1给出:
● [email protected] - Start TightVNC server at startup
Loaded: loaded (/etc/systemd/system/[email protected]; enabled; vendor preset: enabled)
Active: active (running) since Thu 2017-11-09 21:38:13 GMT; 6s ago
Process: 3924 ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :1 (code=exited, status=0/SUCCESS)
Process: 3916 ExecStartPre=/usr/bin/vncserver -kill :1 > /dev/null 2>&1 (code=exited, status=2)
Main PID: 3937 (Xtightvnc)
Tasks: 0 (limit: 4915)
CGroup: /system.slice/system-vncserver.slice/[email protected]
‣ 3937 Xtightvnc :1 -desktop X -auth /home/adam/.Xauthority -geometry
1280x800 -depth 24 -rfbwait 120000 -rfbauth /h
Nov 09 21:38:12 numbersix systemd[1]: Starting Start TightVNC server at startup...
Nov 09 21:38:12 numbersix systemd[3916]: pam_unix(login:session): session opened for user adam by (uid=0)
Nov 09 21:38:12 numbersix systemd[3924]: pam_unix(login:session): session opened for user adam by (uid=0)
Nov 09 21:38:13 numbersix systemd[1]: Started Start TightVNC server at startup.
telnet localhost 5901似乎连接正常:
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
RFB 003.008
并sudo netstat -nlpt | grep :59给出:
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN 3937/Xtightvnc
telnet numbersix 5901但是,telnet 192.168.1.6(在 Windows 上)会失败:
Could not open connection to the host, on port 5901: Connect failed
RealVNC 和 TightVNC 都无法连接(使用主机名或 IP)。使用 IP 或主机名在两个 Windows 主机上都可以 Ping。也无法从 Ubuntu 笔记本电脑连接。同样,可以 ping。我可以毫无问题地使用 ssh。sudo nmap numbersix从 Ubuntu 笔记本电脑得到:
Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-10 12:50 GMT
Nmap scan report for numbersix (192.168.1.6)
Host is up (0.0032s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
8000/tcp open http-alt
8001/tcp open vcom-tunnel
MAC Address: 60:45:CB:64:2B:C8 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds
sudo iptables -L服务器上的INPUT、FORWARD 和 OUTPUT 链如下:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
OUTPUT_direct all -- anywhere anywhere
所以我认为这表明 iptables 没有阻止任何东西......
有人能帮我诊断一下问题吗?
答案1
答案在于我未能理解 iptables - 尤其是输出的sudo iptables -L含义......
当我运行 时sudo iptables -S,我看到了每条规则的更详细描述,很明显没有合适的 INPUT 规则允许 5901(或我正在查看的任何其他端口)上的 tcp 流量通过。然后,最后的 INPUT 规则(本质上是拒绝所有不匹配规则的流量)收集并拒绝了这些流量。我认为应该接受仅适用于接口lo(环回)的流量的规则。
我运行了这个:
sudo iptables -I INPUT 7 -s 192.168.1.0/24 -i enp37s0 -j ACCEPT
这基本上是在 INPUT 链的第 7 行插入一条规则,并告诉它接受来自 192.168.1.0/24 子网的任何到达以太网端口的流量。
下一个挑战是让 iptables-persistent 在重启时真正发挥作用!!