绑定 0.0.0.0 的网络服务,无法通过局域网 IP 访问,可能是什么原因导致的?
black11black 2020-10-26 08:48:47 +08:00 3334 次点击这是一个创建于 1885 天前的主题,其中的信息可能已经有所发展或是发生改变。
如题,脑阔疼。
一个服务出了问题需要本地测试,
系统环境 ubuntu18.04 ,
部署方案是 nginx -> gunicorn -> flask,没过 nginx 之前是不需要域名就可以访问的。
========================
目前测试反映如下:
1 、本地访问 127.0.0.1:4433,服务正常
2 、本地执行 ifconfig,确认局域网 IP 为 192.168.0.10 ( SSH 是通过这个 IP 连上的,这里只是确认一下)
3 、执行 wget 192.168.0.10:4433 得到结果 failed:connection refused
4 、怀疑是不是防火墙拦截,直接关闭防火墙 ufw disable
5 、执行 wget 192.168.0.10:4433 得到结果 failed:connection refused,结果没有改变
6 、默认系统镜像,装机后没有单独配置过防火墙,防火墙应该本来就是关闭的
比较懵,有没有带佬知道可能是什么原因导致的
第 1 条附言 2020-10-26 12:40:59 +08:00
贴条,根据v友提示,查看了iptables规则和selinux,未发现影响局域网访问的选项,命令返回内容如下。
iptables查看规则列表如下
root@gui_ubuntu:~# iptables -vnL Chain INPUT (policy ACCEPT 318 packets, 24587 bytes) pkts bytes target prot opt in out source destination 750K 12G ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 36M 1865G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 595 39160 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 417 30218 ufw-before-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0 417 30218 ufw-before-input all -- * * 0.0.0.0/0 0.0.0.0/0 416 30178 ufw-after-input all -- * * 0.0.0.0/0 0.0.0.0/0 401 28495 ufw-after-logging-input all -- * * 0.0.0.0/0 0.0.0.0/0 401 28495 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0 401 28495 ufw-track-input all -- * * 0.0.0.0/0 0.0.0.0/0 第 2 条附言 2020-10-26 12:42:11 +08:00
接上文
```
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 35542 packets, 94M bytes)
pkts bytes target prot opt in out source destination
42680 96M ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
42680 96M ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
35571 94M ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
35571 94M ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
35571 94M ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
35571 94M ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
以下重复若干行
```
```
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 35542 packets, 94M bytes)
pkts bytes target prot opt in out source destination
42680 96M ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
42680 96M ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
35571 94M ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
35571 94M ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
35571 94M ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
35571 94M ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination
以下重复若干行
```
第 3 条附言 2020-10-26 12:42:41 +08:00
cat /etc/selinux/config命令提示文件不存在,查看/etc/selinux下有唯一文件semanage.conf 内容如下:
root@gui_ubuntu:/etc/selinux# cat semanage.conf # Authors: Jason Tang <[email protected]> # # Copyright (C) 2004-2005 Tresys Technology, LLC # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA # # Specify how libsemanage will interact with a SELinux policy manager. # The four options are: # # "source" - libsemanage manipulates a source SELinux policy # "direct" - libsemanage will write directly to a module store. # /foo/bar - Write by way of a policy management server, whose # named socket is at /foo/bar. The path must begin # with a '/'. # foo.com:4242 - Establish a TCP connection to a remote policy # management server at foo.com. If there is a colon # then the remainder is interpreted as a port number; # otherwise default to port 4242. module-store = direct 第 4 条附言 2020-10-26 12:42:57 +08:00
接上文
# When generating the final linked and expanded policy, by default # semanage will set the policy version to POLICYDB_VERSION_MAX, as # given in <sepol/policydb.h>. Change this setting if a different # version is necessary. #policy-version = 19 # expand-check check neverallow rules when executing all semanage commands. # Large penalty in time if you turn this on. expand-check=0 # By default, semanage will generate policies for he SELinux target. # To build policies for Xen, uncomment the following line. #target-platform = xen ===
顺便吐槽,ubuntu18.04自带drop 3306端口的吗,这台机器应该是没装过mysql的,也是惊了。
第 5 条附言 2020-10-26 15:25:58 +08:00
贴条 netstat -antp
root@gui_ubuntu:~# netstat -antp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 25486/smbd tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 190606/php-fpm: mas tcp 0 0 192.168.0.10:22 0.0.0.0:* LISTEN 1550/sshd tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 25486/smbd tcp 0 0 127.0.0.1:4433 0.0.0.0:* LISTEN 195998/python3.8 tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 1007/systemd-resolv tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 198990/sshd: wwwusr tcp 0 0 192.168.0.10:63210 192.168.0.113:14926 ESTABLISHED 198896/sshd: wwwusr tcp 0 0 192.168.0.10:34680 192.168.0.113:445 ESTABLISHED - tcp 0 0 192.168.0.10:47338 192.168.0.113:3306 ESTABLISHED 196002/python3.8 tcp 0 0 192.168.0.10:47330 192.168.0.113:3306 ESTABLISHED 196001/python3.8 tcp 0 0 192.168.0.10:47332 192.168.0.113:3306 ESTABLISHED 196001/python3.8 tcp 0 0 192.168.0.10:47336 192.168.0.113:3306 ESTABLISHED 196004/python3.8 tcp 0 108 192.168.0.10:59060 65.47.201.117:7000 ESTABLISHED 199044/frpc tcp 0 0 192.168.0.10:47334 192.168.0.113:3306 ESTABLISHED 196002/python3.8 第 6 条附言 2020-10-26 15:26:15 +08:00
接上
tcp 0 0 192.168.0.10:63210 192.168.0.10:38406 ESTABLISHED 199822/sshd: wwwusr tcp 0 0 192.168.0.10:47328 192.168.0.113:3306 ESTABLISHED 196003/python3.8 tcp 0 0 192.168.0.10:47326 192.168.0.113:3306 ESTABLISHED 196003/python3.8 tcp 0 0 192.168.0.10:47340 192.168.0.113:3306 ESTABLISHED 196004/python3.8 tcp6 0 0 :::445 :::* LISTEN 25486/smbd tcp6 0 0 :::139 :::* LISTEN 25486/smbd tcp6 0 0 :::5678 :::* LISTEN 194568/caddy tcp6 0 0 ::1:6010 :::* LISTEN 198990/sshd: wwwusr root@gui_ubuntu:~# 文中公网IP经过了修改。
netstat看,端口4433的服务绑在127.0.0.1上,发现了盲点。
但是gunicorn启动命令确实是0.0.0.0,我用的gunicorn启动命令如下:
gunicorn -w 10 guiapp_gunicorn:pmain --bind 0.0.0.0:4433 --error-logfile - --worker-class sync
21 条回复 2020-10-26 18:25:06 +08:00
 | 1 Jammar 2020-10-26 08:52:20 +08:00 ip 白名单 |
 | 2 Cooky 2020-10-26 08:54:20 +08:00 via Android iptables ? |
 | 3 black11black OP |
| 4 black11back OP 另外贴个条,各位最近有没有炸 cn2 的情况啊,坐标北方联通连搬瓦工 cn2,丢包贼严重 |
 | 5 weyou 2020-10-26 09:06:48 +08:00 via Android 关闭 selinux 试试 |
 | 6 BigOldBrother 2020-10-26 09:33:39 +08:00  1 @black11black #3 应该不是的,我搭网页的时候遇到过跟你一样的问题,ufw 关闭了防火墙,但是 iptables 里边有一条规则`6 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited`会导致所有访问都被 Reject 。可以使用`iptables -L INPUT --line-numbers`找到这一行,然后运行`iptables -D INPUT {行号}`删除这一行即可。我这边系统重启之后会自动恢复,对 iptables 不太了解,而且也不经常重启就没有解决这个问题。 |
 | 7 podel 2020-10-26 09:59:41 +08:00 检查防火墙。就算是 UFW 关了 iptables 也不一定清空。 再不行 也可以抓包看看。 |
 | 8 Xusually 2020-10-26 10:03:47 +08:00 ufw 只是配置 iptables 的便利工具,停止它的服务并不意味着所有的 iptables 规则都被清空,还是检查一下 |
 | 9 jimmy2010 2020-10-26 10:08:55 +08:00 via Android iptables -vnL cat /etc/selinux/config |
| 10 black11black OP @podel 了解了,那这个 ubuntu 的 ufw 搞得很神秘啊,所谓关闭防火墙实际上并没关闭,ufw disable 这个命令还有什么意义呢,┓(`)┏ |
 | 11 lithiumii 2020-10-26 10:36:47 +08:00 与其 UFW disable,不如专门 allow 你想连的端口 |
 | 12 Tink PRO 1 iptables 看看 |
 | 13 Tkvoid 2020-10-26 11:10:59 +08:00 via Android 楼上已经说的挺清楚了。。。估计是 iptables 的问题 |
| 14 black11black OP @jimmy2010 你好,请看 append,我看了一下没看出 iptables 有规则禁止,还是我看错了 |
 | 15 Keyes 2020-10-26 12:48:18 +08:00 via iPhone /etc/hosts.deny /etc/hosts.allow |
 | 16 AstroProfundis 2020-10-26 13:24:24 +08:00 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306 这条不就是? |
| 17 AstroProfundis 2020-10-26 13:25:38 +08:00 @AstroProfundis 看错了,楼主问的 4433 端口,那这条有点可疑 401 28495 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0 |
 | 18 wormcy 2020-10-26 13:26:16 +08:00 netstat -antp 也发上来吧 |
 | 19 black11black OP |
 | 20 shenlanAZ 2020-10-26 16:03:44 +08:00 |
| 21 black11black OP @shenlanAZ 不是,本地访问 127.0.0.1:4433 的话可以直接使用,不经过 nginx |
Select Language