我有一台 Ubuntu 14.04 服务器,在不同端口上运行一些服务。我以前能够使用 VPN 连接到它(通过 SSH、samba 和不同端口上的几个 Web 服务器)。
我将用它ssh作为一个例子,但每个端口都会发生这种情况。
当我尝试从我的 LAN 内部连接时,一切都正常,但是当我尝试从我的 VPN 访问时什么也没有发生(盒子获取了 tcp 数据包但没有获取监听端口的服务)。
我可以连接到网络上的其他盒子,所以我知道 VPN 运行正常。
我还可以连接到网络内的盒子,所以我还知道
ssh(和所有其他服务)已启动并正在监听。
网络状态:
$ netstat -ntple
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 479 -
- 我也曾经
tshark验证过盒子是否有收到什么东西,所以我知道路由器工作正常。
输出:
$ sudo tshark -i rename2 port 22
Capturing on 'rename2'
1 0.000000 172.17.11.165 -> 10.11.50.93 TCP 74 37478 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1360 SACK_PERM=1 TSval=51759576 TSecr=0 WS=256
1 2 3.706230 172.17.11.165 -> 10.11.50.93 TCP 74 41261 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1360 SACK_PERM=1 TSval=51760681 TSecr=0 WS=256
2 3 4.697915 172.17.11.165 -> 10.11.50.93 TCP 74 [TCP Retransmission] 41261 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1360 SACK_PERM=1 TSval=51760982 TSecr=0 WS=256
3 4 6.730708 172.17.11.165 -> 10.11.50.93 TCP 74 [TCP Retransmission] 41261 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1360 SACK_PERM=1 TSval=51761584 TSecr=0 WS=256
4 5 10.697776 172.17.11.165 -> 10.11.50.93 TCP 74 [TCP Retransmission] 41261 > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1360 SACK_PERM=1 TSval=51762788 TSecr=0 WS=256
我还添加/删除了防火墙规则,并禁用/重新启动,
ufw但没有成功还检查了我的
iptables,一切看起来都正常。
Iptables:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT udp -- anywhere anywhere multiport dports mdns
ACCEPT tcp -- anywhere anywhere multiport dports 4000
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER-ISOLATION all -- anywhere anywhere
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
Chain DOCKER-ISOLATION (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
我不知道这里可能出了什么问题。几天前,当我通过 安装 Docker 时,出现了这个问题ssh,$ curl -fsSL https://get.docker.com/ | sh安装ssh到一半时连接就关闭了,无法再连接。我猜系统可能已经以某种方式更新,而当 docker 安装其网络组件时,出现了问题。仍然找不到是什么问题。
netstat -nr -4输出:
$ netstat -nr -4
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.11.50.1 0.0.0.0 UG 0 0 0 rename2
10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 lxcbr0
10.11.50.0 0.0.0.0 255.255.255.0 U 0 0 0 rename2
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
ifconfig输出:
$ ifconfig
docker0 Link encap:Ethernet HWaddr 02:42:06:f0:a2:16
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth6 Link encap:Ethernet HWaddr 8c:dc:d4:2c:24:b6
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:20 Memory:d3300000-d3320000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:8329 errors:0 dropped:0 overruns:0 frame:0
TX packets:8329 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1311610 (1.3 MB) TX bytes:1311610 (1.3 MB)
lxcbr0 Link encap:Ethernet HWaddr 02:2f:b6:06:aa:d6
inet addr:10.0.3.1 Bcast:0.0.0.0 Mask:255.255.255.0
inet6 addr: fe80::2f:b6ff:fe06:aad6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:785 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:222126 (222.1 KB)
lxdbr0 Link encap:Ethernet HWaddr fe:21:66:ba:91:98
inet6 addr: fe80::1/64 Scope:Link
inet6 addr: fe80::3007:bfff:fe70:8407/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:31 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:968 (968.0 B) TX bytes:6130 (6.1 KB)
rename2 Link encap:Ethernet HWaddr 8c:dc:d4:2c:24:b7
inet addr:10.11.50.93 Bcast:10.11.50.255 Mask:255.255.255.0
inet6 addr: fe80::8edc:d4ff:fe2c:24b7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:312920 errors:0 dropped:0 overruns:0 frame:0
TX packets:33140 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:51883472 (51.8 MB) TX bytes:6473301 (6.4 MB)
Memory:d3100000-d3180000
vethD4RBEX Link encap:Ethernet HWaddr fe:21:66:ba:91:98
inet6 addr: fe80::fc21:66ff:feba:9198/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14 errors:0 dropped:0 overruns:0 frame:0
TX packets:64 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1164 (1.1 KB) TX bytes:11813 (11.8 KB)
答案1
查看您的 tshark 捕获和路由表。我假设您的 vpn 网络使用与 docker0 接口相同的子网。
这将关闭 docker0 接口:
sudo ifdown docker0
但重启后问题又会出现。要正确修复它,您应该删除docker,或更改docker的子网设置,或更改vpn子网设置。