Networking
TCP:一台PC可以連接到其他的監聽埠,反之則不行
我有一個本地網路(它是 VPN 還是真正的本地網路並不重要——我都試過了)。
一台執行 Linux Mint 的電腦打開一個套接字
mint$ nc -l 4242第二個執行 OpenSUSE 可以連接並發送消息到套接字:
suse$ nc 10.8.0.10 4242但是,如果我嘗試在 Suse 上打開一個套接字並從 Mint 連接 - 連接將無法建立。我根本沒有
ufw在 Suse 上安裝防火牆。我嘗試將 TCP 數據包從 Mint 發送到 Windows PC,它執行良好,所以我猜,問題出在 Suse 機器上。
我還嘗試選擇更高的埠號(例如 55555)以防萬一,但沒有運氣。
iptables -L -v在 Suse 上:Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 272 23240 ACCEPT all -- lo any anywhere anywhere 28 5183 ACCEPT all -- any any anywhere anywhere ctstate ESTABLISHED 0 0 ACCEPT icmp -- any any anywhere anywhere ctstate RELATED 15 4984 input_ext all -- any any anywhere anywhere 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET " 0 0 DROP all -- any any anywhere anywhere Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWD-ILL-ROUTING " Chain OUTPUT (policy ACCEPT 47 packets, 7142 bytes) pkts bytes target prot opt in out source destination 272 23240 ACCEPT all -- any lo anywhere anywhere Chain forward_ext (0 references) pkts bytes target prot opt in out source destination Chain input_ext (1 references) pkts bytes target prot opt in out source destination 2 1956 DROP all -- any any anywhere anywhere PKTTYPE = broadcast 0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench 0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 13 3028 DROP all -- any any anywhere anywhere PKTTYPE = multicast 0 0 DROP all -- any any anywhere anywhere PKTTYPE = broadcast 0 0 LOG tcp -- any any anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT " 0 0 LOG icmp -- any any anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT " 0 0 LOG udp -- any any anywhere anywhere limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT " 0 0 DROP all -- any any anywhere anywhere Chain reject_func (0 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- any any anywhere anywhere reject-with tcp-reset 0 0 REJECT udp -- any any anywhere anywhere reject-with icmp-port-unreachable 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-proto-unreachable什麼會導致這個問題?
使用這個命令:
sudo iptables -I INPUT -p tcp --dport 4242 -j ACCEPTsuse
INPUT鏈的最後一行是:0 0 DROP all -- any any anywhere anywhere這意味著
DROP所有INPUT數據包,使用此命令sudo iptables -I INPUT -p tcp --dport 4242 -j ACCEPT我們
I為接受輸入數據包頂部和執行規則添加新DROP規則並且此規則不適用於新連接:
ACCEPT all -- any any anywhere anywhere ctstate ESTABLISHED因為統計數據就是
ESTABLISHED這個意思:RELATED - 連接是新的,但與已允許的另一個連接相關。ESTABLISHED - 連接已經建立。