无法连接到 VNC 服务器

无法连接到 VNC 服务器

希望你们的集体智慧能够帮助我……

tl;dr - Ubuntu 服务器似乎打开了几个端口,但外部(LAN)世界都看不到它们 - 到底发生了什么?

更长:

我有一台无头 17.04 服务器,我想使用 VNC 连接它,但目前我遇到了麻烦。我使用两个客户端 - 都是 Windows 10,一个使用 RealVNC,一个使用 TightVNC。

我已经在我的 Ubuntu 机器上设置了 TightVNC 服务器,主要按照以下说明进行操作:https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-vnc-on-ubuntu-16-04,打算将 Xfce 作为桌面运行:

$ sudo apt install xfce4 xfce4-goodies tightvncserver

我已将 xstartup 文件更改为:

#!/bin/bash
xrdb $HOME/.Xresources
startxfce4 &

并授予可执行权限。

如果我使用以下方式启动服务器,tightvncserver我会得到:

New 'X' desktop is numbersix:1

Starting applications specified in /home/adam/.vnc/xstartup
Log file is /home/adam/.vnc/numbersix:1.log

nmap localhost给出:

Starting Nmap 7.40 ( https://nmap.org ) at 2017-11-09 21:05 GMT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000076s latency).
Other addresses for localhost (not scanned): ::1
Not shown: 986 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
631/tcp  open  ipp
5901/tcp open  vnc-1
6001/tcp open  X11:1
8000/tcp open  http-alt
8001/tcp open  vcom-tunnel
8010/tcp open  xmpp
8080/tcp open  http-proxy
9091/tcp open  xmltec-xmlmail

nmap 192.168.1.6给出相同的结果。

我将服务器设置为 systemd 服务 -使用以下内容创建:/etc/systemd/system/[email protected]

[Unit]
Description=Start TightVNC server at startup
After=syslog.target network.target

[Service]
Type=forking
User=adam
PAMName=login
PIDFile=/home/adam/.vnc/%H:%i.pid
ExecStartPre=-/usr/bin/vncserver -kill :%i > /dev/null 2>&1
ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :%i
ExecStop=/usr/bin/vncserver -kill :%i

[Install]
WantedBy=multi-user.target

然后启动服务

$ sudo systemctl daemon-reload
$ sudo systemctl enable [email protected]
$ sudo systemctl start vncserver@1

一切似乎都有效。sudo systemctl status vncserver@1给出:

[email protected] - Start TightVNC server at startup
   Loaded: loaded (/etc/systemd/system/[email protected]; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2017-11-09 21:38:13 GMT; 6s ago
  Process: 3924 ExecStart=/usr/bin/vncserver -depth 24 -geometry 1280x800 :1 (code=exited, status=0/SUCCESS)
  Process: 3916 ExecStartPre=/usr/bin/vncserver -kill :1 > /dev/null 2>&1 (code=exited, status=2)
 Main PID: 3937 (Xtightvnc)
    Tasks: 0 (limit: 4915)
   CGroup: /system.slice/system-vncserver.slice/[email protected]
           ‣ 3937 Xtightvnc :1 -desktop X -auth /home/adam/.Xauthority -geometry 
1280x800 -depth 24 -rfbwait 120000 -rfbauth /h

Nov 09 21:38:12 numbersix systemd[1]: Starting Start TightVNC server at startup...
Nov 09 21:38:12 numbersix systemd[3916]: pam_unix(login:session): session opened for user adam by (uid=0)
Nov 09 21:38:12 numbersix systemd[3924]: pam_unix(login:session): session opened for user adam by (uid=0)
Nov 09 21:38:13 numbersix systemd[1]: Started Start TightVNC server at startup.

telnet localhost 5901似乎连接正常:

Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
RFB 003.008

sudo netstat -nlpt | grep :59给出:

tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN      3937/Xtightvnc

telnet numbersix 5901但是,telnet 192.168.1.6(在 Windows 上)会失败:

Could not open connection to the host, on port 5901: Connect failed

RealVNC 和 TightVNC 都无法连接(使用主机名或 IP)。使用 IP 或主机名在两个 Windows 主机上都可以 Ping。也无法从 Ubuntu 笔记本电脑连接。同样,可以 ping。我可以毫无问题地使用 ssh。sudo nmap numbersix从 Ubuntu 笔记本电脑得到:

Starting Nmap 7.01 ( https://nmap.org ) at 2017-11-10 12:50 GMT
Nmap scan report for numbersix (192.168.1.6)
Host is up (0.0032s latency).
Not shown: 997 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
8000/tcp open  http-alt
8001/tcp open  vcom-tunnel
MAC Address: 60:45:CB:64:2B:C8 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 12.85 seconds

sudo iptables -L服务器上的INPUT、FORWARD 和 OUTPUT 链如下:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
INPUT_direct  all  --  anywhere             anywhere
INPUT_ZONES_SOURCE  all  --  anywhere             anywhere
INPUT_ZONES  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
FORWARD_direct  all  --  anywhere             anywhere
FORWARD_IN_ZONES_SOURCE  all  --  anywhere             anywhere
FORWARD_IN_ZONES  all  --  anywhere             anywhere
FORWARD_OUT_ZONES_SOURCE  all  --  anywhere             anywhere
FORWARD_OUT_ZONES  all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             ctstate INVALID
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
OUTPUT_direct  all  --  anywhere             anywhere

所以我认为这表明 iptables 没有阻止任何东西......

有人能帮我诊断一下问题吗?

答案1

答案在于我未能理解 iptables - 尤其是输出的sudo iptables -L含义......

当我运行 时sudo iptables -S,我看到了每条规则的更详细描述,很明显没有合适的 INPUT 规则允许 5901(或我正在查看的任何其他端口)上的 tcp 流量通过。然后,最后的 INPUT 规则(本质上是拒绝所有不匹配规则的流量)收集并拒绝了这些流量。我认为应该接受仅适用于接口lo(环回)的流量的规则。

我运行了这个: sudo iptables -I INPUT 7 -s 192.168.1.0/24 -i enp37s0 -j ACCEPT

这基本上是在 INPUT 链的第 7 行插入一条规则,并告诉它接受来自 192.168.1.0/24 子网的任何到达以太网端口的流量。

下一个挑战是让 iptables-persistent 在重启时真正发挥作用!!

相关内容