V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
black11black
V2EX  ›  问与答

绑定 0.0.0.0 的网络服务,无法通过局域网 IP 访问,可能是什么原因导致的?

  •  
  •   black11black · 2020-10-26 08:48:47 +08:00 · 2609 次点击
    这是一个创建于 1250 天前的主题,其中的信息可能已经有所发展或是发生改变。

    如题,脑阔疼。

    一个服务出了问题需要本地测试,

    系统环境 ubuntu18.04 ,

    部署方案是 nginx -> gunicorn -> flask,没过 nginx 之前是不需要域名就可以访问的。

    ========================

    目前测试反映如下:

    1 、本地访问 127.0.0.1:4433,服务正常

    2 、本地执行 ifconfig,确认局域网 IP 为 192.168.0.10 ( SSH 是通过这个 IP 连上的,这里只是确认一下)

    3 、执行 wget 192.168.0.10:4433 得到结果 failed:connection refused

    4 、怀疑是不是防火墙拦截,直接关闭防火墙 ufw disable

    5 、执行 wget 192.168.0.10:4433 得到结果 failed:connection refused,结果没有改变

    6 、默认系统镜像,装机后没有单独配置过防火墙,防火墙应该本来就是关闭的

    比较懵,有没有带佬知道可能是什么原因导致的

    第 1 条附言  ·  2020-10-26 12:40:59 +08:00

    贴条,根据v友提示,查看了iptables规则和selinux,未发现影响局域网访问的选项,命令返回内容如下。

    iptables查看规则列表如下

    root@gui_ubuntu:~# iptables -vnL
    Chain INPUT (policy ACCEPT 318 packets, 24587 bytes)
     pkts bytes target     prot opt in     out     source               destination         
     750K   12G ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
      36M 1865G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3306
      595 39160 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
      417 30218 ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      417 30218 ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      416 30178 ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      401 28495 ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      401 28495 ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      401 28495 ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    
    第 2 条附言  ·  2020-10-26 12:42:11 +08:00
    接上文
    ```
    Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
    0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT 35542 packets, 94M bytes)
    pkts bytes target prot opt in out source destination
    42680 96M ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
    42680 96M ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
    35571 94M ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
    35571 94M ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
    35571 94M ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
    35571 94M ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0

    Chain ufw-after-forward (1 references)
    pkts bytes target prot opt in out source destination

    Chain ufw-after-input (1 references)
    pkts bytes target prot opt in out source destination

    Chain ufw-after-logging-forward (1 references)
    pkts bytes target prot opt in out source destination

    以下重复若干行

    ```
    第 3 条附言  ·  2020-10-26 12:42:41 +08:00

    cat /etc/selinux/config命令提示文件不存在,查看/etc/selinux下有唯一文件semanage.conf 内容如下:

    root@gui_ubuntu:/etc/selinux# cat semanage.conf 
    # Authors: Jason Tang <[email protected]>
    #
    # Copyright (C) 2004-2005 Tresys Technology, LLC
    #
    #  This library is free software; you can redistribute it and/or
    #  modify it under the terms of the GNU Lesser General Public
    #  License as published by the Free Software Foundation; either
    #  version 2.1 of the License, or (at your option) any later version.
    #
    #  This library is distributed in the hope that it will be useful,
    #  but WITHOUT ANY WARRANTY; without even the implied warranty of
    #  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    #  Lesser General Public License for more details.
    #
    #  You should have received a copy of the GNU Lesser General Public
    #  License along with this library; if not, write to the Free Software
    #  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
    #
    # Specify how libsemanage will interact with a SELinux policy manager.
    # The four options are:
    #
    #  "source"     - libsemanage manipulates a source SELinux policy
    #  "direct"     - libsemanage will write directly to a module store.
    #  /foo/bar     - Write by way of a policy management server, whose
    #                 named socket is at /foo/bar.  The path must begin
    #                 with a '/'.
    #  foo.com:4242 - Establish a TCP connection to a remote policy
    #                 management server at foo.com.  If there is a colon
    #                 then the remainder is interpreted as a port number;
    #                 otherwise default to port 4242.
    module-store = direct
    
    第 4 条附言  ·  2020-10-26 12:42:57 +08:00

    接上文

    # When generating the final linked and expanded policy, by default
    # semanage will set the policy version to POLICYDB_VERSION_MAX, as
    # given in <sepol/policydb.h>.  Change this setting if a different
    # version is necessary.
    #policy-version = 19
    
    # expand-check check neverallow rules when executing all semanage commands.
    # Large penalty in time if you turn this on.
    expand-check=0
    
    # By default, semanage will generate policies for the SELinux target.
    # To build policies for Xen, uncomment the following line.
    #target-platform = xen
    
    

    ===

    顺便吐槽,ubuntu18.04自带drop 3306端口的吗,这台机器应该是没装过mysql的,也是惊了。

    第 5 条附言  ·  2020-10-26 15:25:58 +08:00

    贴条 netstat -antp

    root@gui_ubuntu:~# netstat -antp
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
    tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      25486/smbd             
    tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      190606/php-fpm: mas 
    tcp        0      0 192.168.0.10:22         0.0.0.0:*               LISTEN      1550/sshd           
    tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      25486/smbd          
    tcp        0      0 127.0.0.1:4433          0.0.0.0:*               LISTEN      195998/python3.8    
    tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      1007/systemd-resolv     
    tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      198990/sshd: wwwusr 
    tcp        0      0 192.168.0.10:63210      192.168.0.113:14926     ESTABLISHED 198896/sshd: wwwusr 
    tcp        0      0 192.168.0.10:34680      192.168.0.113:445       ESTABLISHED -                   
    tcp        0      0 192.168.0.10:47338      192.168.0.113:3306      ESTABLISHED 196002/python3.8    
    tcp        0      0 192.168.0.10:47330      192.168.0.113:3306      ESTABLISHED 196001/python3.8    
    tcp        0      0 192.168.0.10:47332      192.168.0.113:3306      ESTABLISHED 196001/python3.8    
    tcp        0      0 192.168.0.10:47336      192.168.0.113:3306      ESTABLISHED 196004/python3.8    
    tcp        0    108 192.168.0.10:59060      65.47.201.117:7000      ESTABLISHED 199044/frpc         
    tcp        0      0 192.168.0.10:47334      192.168.0.113:3306      ESTABLISHED 196002/python3.8      
    
    第 6 条附言  ·  2020-10-26 15:26:15 +08:00

    接上

    tcp        0      0 192.168.0.10:63210      192.168.0.10:38406      ESTABLISHED 199822/sshd: wwwusr 
    tcp        0      0 192.168.0.10:47328      192.168.0.113:3306      ESTABLISHED 196003/python3.8    
    tcp        0      0 192.168.0.10:47326      192.168.0.113:3306      ESTABLISHED 196003/python3.8    
    tcp        0      0 192.168.0.10:47340      192.168.0.113:3306      ESTABLISHED 196004/python3.8    
    tcp6       0      0 :::445                  :::*                    LISTEN      25486/smbd          
    tcp6       0      0 :::139                  :::*                    LISTEN      25486/smbd          
    tcp6       0      0 :::5678                 :::*                    LISTEN      194568/caddy              
    tcp6       0      0 ::1:6010                :::*                    LISTEN      198990/sshd: wwwusr 
    root@gui_ubuntu:~# 
    

    文中公网IP经过了修改。

    netstat看,端口4433的服务绑在127.0.0.1上,发现了盲点。

    但是gunicorn启动命令确实是0.0.0.0,我用的gunicorn启动命令如下:

    gunicorn -w 10 guiapp_gunicorn:pmain --bind 0.0.0.0:4433 --error-logfile - --worker-class sync

    21 条回复    2020-10-26 18:25:06 +08:00
    Jammar
        1
    Jammar  
       2020-10-26 08:52:20 +08:00
    ip 白名单
    Cooky
        2
    Cooky  
       2020-10-26 08:54:20 +08:00 via Android
    iptables ?
    black11black
        3
    black11black  
    OP
       2020-10-26 08:56:39 +08:00
    @Cooky
    @Jammar ubuntu 的 iptables 是通过 ufw 管理的吧,我 ufw 关了应该 iptalbes 清空吧?不太了解,感觉是这样
    black11black
        4
    black11black  
    OP
       2020-10-26 08:57:36 +08:00
    另外贴个条,各位最近有没有炸 cn2 的情况啊,坐标北方联通连搬瓦工 cn2,丢包贼严重
    weyou
        5
    weyou  
       2020-10-26 09:06:48 +08:00 via Android
    关闭 selinux 试试
    BigOldBrother
        6
    BigOldBrother  
       2020-10-26 09:33:39 +08:00   ❤️ 1
    @black11black #3 应该不是的,我搭网页的时候遇到过跟你一样的问题,ufw 关闭了防火墙,但是 iptables 里边有一条规则`6 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited`会导致所有访问都被 Reject 。可以使用`iptables -L INPUT --line-numbers`找到这一行,然后运行`iptables -D INPUT {行号}`删除这一行即可。我这边系统重启之后会自动恢复,对 iptables 不太了解,而且也不经常重启就没有解决这个问题。
    podel
        7
    podel  
       2020-10-26 09:59:41 +08:00
    检查防火墙。就算是 UFW 关了 iptables 也不一定清空。
    再不行 也可以抓包看看。
    Xusually
        8
    Xusually  
       2020-10-26 10:03:47 +08:00
    ufw 只是配置 iptables 的便利工具,停止它的服务并不意味着所有的 iptables 规则都被清空,还是检查一下
    jimmy2010
        9
    jimmy2010  
       2020-10-26 10:08:55 +08:00 via Android
    iptables -vnL
    cat /etc/selinux/config
    black11black
        10
    black11black  
    OP
       2020-10-26 10:23:31 +08:00
    @podel 了解了,那这个 ubuntu 的 ufw 搞得很神秘啊,所谓关闭防火墙实际上并没关闭,ufw disable 这个命令还有什么意义呢,┓( ´∀` )┏
    lithiumii
        11
    lithiumii  
       2020-10-26 10:36:47 +08:00
    与其 UFW disable,不如专门 allow 你想连的端口
    Tink
        12
    Tink  
       2020-10-26 11:02:29 +08:00   ❤️ 1
    iptables 看看
    Tkvoid
        13
    Tkvoid  
       2020-10-26 11:10:59 +08:00 via Android
    楼上已经说的挺清楚了。。。估计是 iptables 的问题
    black11black
        14
    black11black  
    OP
       2020-10-26 12:43:51 +08:00
    @jimmy2010 你好,请看 append,我看了一下没看出 iptables 有规则禁止,还是我看错了
    Keyes
        15
    Keyes  
       2020-10-26 12:48:18 +08:00 via iPhone
    /etc/hosts.deny
    /etc/hosts.allow
    AstroProfundis
        16
    AstroProfundis  
       2020-10-26 13:24:24 +08:00
    0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306

    这条不就是?
    AstroProfundis
        17
    AstroProfundis  
       2020-10-26 13:25:38 +08:00
    @AstroProfundis 看错了,楼主问的 4433 端口,那这条有点可疑
    401 28495 ufw-reject-input all -- * * 0.0.0.0/0 0.0.0.0/0
    wormcy
        18
    wormcy  
       2020-10-26 13:26:16 +08:00
    netstat -antp 也发上来吧
    black11black
        19
    black11black  
    OP
       2020-10-26 15:27:25 +08:00
    @AstroProfundis 应该不是这个,如果是的话我的所有网络服务应该全面瘫痪才对。

    @wormcy 请看贴条最后一条
    shenlanAZ
        20
    shenlanAZ  
       2020-10-26 16:03:44 +08:00
    @black11black #19 这个应用是不是要通过 proxy server 绕一圈才能用。

    docs.gunicorn.org/en/stable/deploy.html
    black11black
        21
    black11black  
    OP
       2020-10-26 18:25:06 +08:00
    @shenlanAZ 不是,本地访问 127.0.0.1:4433 的话可以直接使用,不经过 nginx
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   我们的愿景   ·   实用小工具   ·   2869 人在线   最高记录 6543   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 35ms · UTC 13:10 · PVG 21:10 · LAX 06:10 · JFK 09:10
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.