無法遠端登錄到私有 IP 或埠
需要進行哪些特定更改,以便本地 IP 上的 CentOS 7 安裝
192.168.1.6可以telnet到另一個本地 IP 上的另一個 CentOS 7 安裝192.168.1.5?如您所見,
192.168.1.6IS ABLE TO PING192.168.1.5如下:[root@localhost /]# ping 192.168.1.5 PING 192.168.1.5 (192.168.1.5) 56(84) bytes of data. 64 bytes from 192.168.1.5: icmp_seq=1 ttl=64 time=0.515 ms 64 bytes from 192.168.1.5: icmp_seq=2 ttl=64 time=0.565 ms ^C --- 192.168.1.5 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1000ms rtt min/avg/max/mdev = 0.515/0.540/0.565/0.025 ms但
telnetFROM192.168.1.6TO192.168.1.5失敗如下:[root@localhost /]# telnet 192.168.1.5 Trying 192.168.1.5... telnet: connect to address 192.168.1.5: No route to host而
telnetFROM192.168.1.6TOport 5432at192.168.1.5也失敗如下:[root@localhost /]# telnet 192.168.1.5:5432 telnet: 192.168.1.5:5432: Name or service not known 192.168.1.5:5432: Unknown host [root@localhost /]#PostgreSQL 正在執行
192.168.1.5,並且應該正在接收telnet 192.168.1.5:5432.pg_hba.conf因此,我在執行上述程式碼之前 添加了以下行:host all all 192.168.1.6/24 trust我在執行上述命令之前重新啟動了 PostgreSQL,
ping並telnet輸入systemctl restart postgresql.同樣,在執行上述
ping和telnet命令之前,我還在 上創建了以下防火牆規則192.168.1.5:[root@localhost ~]# firewall-cmd --zone=public --add-port=5432/tcp [root@localhost ~]# firewall-cmd --permanent --zone=trusted --add-source=192.168.1.6/32 [root@localhost ~]# firewall-cmd --reload此外,我確認 PostgreSQL 正在執行,
port 5432並在終端中鍵入以下命令192.168.1.5:[root@localhost ~]# ss -l -n | grep 5432 u_str LISTEN 0 128 /var/run/postgresql/.s.PGSQL.5432 71466 * 0 u_str LISTEN 0 128 /tmp/.s.PGSQL.5432 71468 * 0 tcp LISTEN 0 128 127.0.0.1:5432 *:* tcp LISTEN 0 128 ::1:5432 :::* [root@localhost ~]#@roaima 的建議:
根據@roaima 的建議,我嘗試了以下操作,但仍然無法連接:
從 192.168.1.6,我發送:
[root@localhost ~]# telnet 192.168.1.5 5432 Trying 192.168.1.5... telnet: connect to address 192.168.1.5: No route to host而在 192.168.1.5 上,請求
tcpdump的接收端是:telnet[root@localhost ~]# tcpdump -i eth0 port 5432 or arp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 16:52:49.309526 IP 192.168.1.6.53328 > localhost.localdomain.postgres: Flags [S], seq 3210933916, win 29200, options [mss 1460,sackOK,TS val 629624820 ecr 0,nop,wscale 7], length 0 16:52:54.312716 ARP, Request who-has localhost.localdomain tell 192.168.1.6, length 28 16:52:54.312750 ARP, Reply localhost.localdomain is-at 52:54:00:ef:35:18 (oui Unknown), length 28 ^C 3 packets captured 4 packets received by filter 0 packets dropped by kernel同樣,我從 192.168.1.6 僅將以下 telnet 發送到 IP 級別:
[root@localhost ~]# telnet 192.168.1.5 Trying 192.168.1.5... telnet: connect to address 192.168.1.5: No route to host [root@localhost ~]#而在 192.168.1.5 上,請求
tcpdump的接收端是:telnet[root@localhost ~]# tcpdump -i eth0 port 5432 or arp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes //THESE 2 LINES PRINTED BEFORE 2ND TELNET WAS RUN: 16:58:11.619638 ARP, Request who-has gateway tell localhost.localdomain, length 28 //THESE 2 LINES PRINTED BEFORE 2ND TELNET WAS RUN: 16:58:11.619940 ARP, Reply gateway is-at b8:ec:a3:11:74:6e (oui Unknown), length 46 16:58:35.555570 ARP, Request who-has 192.168.1.6 tell localhost.localdomain, length 28 16:58:35.555753 ARP, Reply 192.168.1.6 is-at 52:54:00:ab:31:40 (oui Unknown), length 28 ^C 4 packets captured 4 packets received by filter 0 packets dropped by kernel [root@localhost ~]#@cutrightjm 的建議:
在 上
192.168.1.5,我在一個 Putty 會話中輸入了以下內容:[root@localhost ~]# telnet localhost 5432 Trying ::1... Connected to localhost. Escape character is '^]'.同時,在單獨的 Putty 會話中
192.168.1.5,我沒有看到來自 的結果tcpdump,如下所示:[root@localhost ~]# tcpdump -i eth0 port 5432 or arp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel [root@localhost ~]#@JeffSchaller 的建議:
根據@JeffSchaller 的建議,我在
192.168.1.6. 請注意,這是 CentOS 7,它已替換netstat為ss,並且已替換iptables為firewalld:
ss -rn產生了 90 行輸出。您能否建議一個有意義的grep過濾器或其他過濾器來將輸出減少到允許添加到文章的數量?[root@localhost ~]# iptables -Ln iptables: No chain/target/match by that name. [root@localhost ~]# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ssh ports: 8080/tcp protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules: [root@localhost ~]#我還執行了以下命令
192.168.1.6:[root@localhost ~]# ip route default via 192.168.1.1 dev eth0 proto static metric 100 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.6 metric 100 [root@localhost ~]# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 52:54:00:ab:31:40 brd ff:ff:ff:ff:ff:ff inet 192.168.1.6/24 brd 192.168.1.255 scope global dynamic eth0 valid_lft 133013sec preferred_lft 133013sec inet6 fe80::5054:ff:feab:3140/64 scope link valid_lft forever preferred_lft forever [root@localhost ~]#刪除兩台機器上的防火牆
作為一項極端測試,我在兩台機器上都刪除了防火牆,
192.168.1.5並在兩台機器上都192.168.1.6輸入了yum remove firewalld和。yum remove iptables然後,我按如下方式驗證了這兩個刪除:開
192.168.1.5:[root@localhost ~]# systemctl status firewalld Unit firewalld.service could not be found. [root@localhost ~]# iptables -L -n -bash: /sbin/iptables: No such file or directory開
192.168.1.6:[root@localhost ~]# systemctl status firewalld Unit firewalld.service could not be found. [root@localhost ~]# iptables -L -n -bash: /sbin/iptables: No such file or directory接下來,我輸入
tcpdump -i eth0 port 5432 or arpon192.168.1.5,然後輸入telnet 192.168.1.5 5432on192.168.1.6。telnet 的結果是列印以下拒絕消息
192.168.1.6:[root@localhost ~]# telnet 192.168.1.5 5432 Trying 192.168.1.5... telnet: connect to address 192.168.1.5: Connection refused [root@localhost ~]#同時,來自呼叫的
tcpdump列印輸出是:192.168.1.5``telnet``1.6[root@localhost ~]# tcpdump -i eth0 port 5432 or arp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 10:25:11.349238 ARP, Request who-has localhost.localdomain tell gateway, length 46 10:25:11.349261 ARP, Reply localhost.localdomain is-at 52:54:00:ef:35:18 (oui Unknown), length 28 10:25:14.391222 IP 192.168.1.6.53344 > localhost.localdomain.postgres: Flags [S], seq 3043089625, win 29200, options [mss 1460,sackOK,TS val 692769902 ecr 0,nop,wscale 7], length 0 10:25:14.391265 IP localhost.localdomain.postgres > 192.168.1.6.53344: Flags [R.], seq 0, ack 3043089626, win 0, length 0 10:25:19.395578 ARP, Request who-has 192.168.1.6 tell localhost.localdomain, length 28 10:25:19.396039 ARP, Reply 192.168.1.6 is-at 52:54:00:ab:31:40 (oui Unknown), length 28 ^C 6 packets captured 6 packets received by filter 0 packets dropped by kernel [root@localhost ~]#為了確定 PostgreSQL 是否正在偵聽
port 5432,我在 上鍵入了以下兩個命令192.168.1.5:請注意,在執行以下命令時,
firewalld和iptables仍然會被刪除:首先,我查看了該
pg_hba.conf文件,192.168.1.5發現有一條規則可以信任192.168.1.6:[root@localhost ~]# vi /var/lib/pgsql/data/pg_hba.conf # LOTS OF # COMMENTED LINES OMITTED HERE FOR BREVITY # TYPE DATABASE USER ADDRESS METHOD # "local" is for Unix domain socket connections only local all all trust # IPv4 local connections: host all all 127.0.0.1/32 trust host all all 192.168.1.6/24 trust # IPv6 local connections: host all all ::1/128 trust接下來,我輸入以下
netstat命令192.168.1.5以查看是否有規則port 5432:[root@localhost ~]# netstat -anpt | grep LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 943/sshd tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 25166/postgres tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1483/master tcp6 0 0 127.0.0.1:45228 :::* LISTEN 19089/java tcp6 0 0 127.0.0.1:8020 :::* LISTEN 14338/java tcp6 0 0 :::7990 :::* LISTEN 19089/java tcp6 0 0 :::22 :::* LISTEN 943/sshd tcp6 0 0 ::1:5432 :::* LISTEN 25166/postgres tcp6 0 0 127.0.0.1:7992 :::* LISTEN 19066/java tcp6 0 0 ::1:7992 :::* LISTEN 19066/java tcp6 0 0 ::1:25 :::* LISTEN 1483/master tcp6 0 0 127.0.0.1:36122 :::* LISTEN 19089/java tcp6 0 0 :::8095 :::* LISTEN 14338/java tcp6 0 0 :::5701 :::* LISTEN 19089/java [root@localhost ~]#
第一個問題是您使用了錯誤的
telnet命令語法。執行man telnet會告訴你語法是這樣的:telnet <host> [<port>]所以在你的情況下,你應該執行這個:
telnet 192.168.1.5 5432第二個問題是您在每台主機上都有一條防火牆規則,阻止出站流量到 5432/tcp。
iptables --j REJECT(可能還有其他埠。)錯誤消息“沒有到主機的路由”是由OUTPUT具有--reject-with icmp-host-prohibited. 以下是創建此類規則的範例:iptables -I OUTPUT -p tcp --dport 5432 -j REJECT --reject-with icmp-host-prohibited這滿足了由於成功而明顯存在路由
ping但您的telnet會話失敗的情況。你自己可以用命令檢查這個iptables --line-numbers -nvL(不是iptables -Ln,它試圖列對外連結的規則n)。確認流量確實可以建立的兩個臨時修復是
- 完全禁用兩個系統上的防火牆
- 在兩個系統上執行這兩個命令(之後您可以通過替換為刪除
-I它們-D)iptables -I INPUT -p tcp --src 192.168.1.5/30 -j ACCEPT iptables -I OUTPUT -p tcp --dst 192.168.1.5/30 -j ACCEPT我(還)不太熟悉 CentOS 7 防火牆工具,無法為您提供完整的解決方案。我可以去探勘,或者其他人可能想編輯這個答案以提供該資訊。