배경: https로 node.js 애플리케이션을 실행하도록 우분투 서버를 구성하려고 합니다. 이전에는 http(1년 전에 구성됨)에서 모든 것이 잘 작동했으며 :443에 대한 방화벽을 열고 이를 :8443으로 리디렉션하고 싶었습니다.
sudo ufw allow 443/tcp
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443
내 앱을 시험해 볼 때 https 요청이 앱에 등록되지 않은 것으로 나타났습니다(앱 로그에 아무것도 없고 브라우저가 요청에 대한 응답을 받지 못함). 서버에 ping을 실행해도 응답을 받지 못합니다(시간 초과도 발생하지 않음). 내 클라우드 공급자 대시보드에는 서버를 ping할 수 없다고 명시되어 있으며, 클라우드 공급자 방화벽 구성에도 모든 TCP에 443이 허용된다고 나와 있습니다. ... 하지만 여전히 문제 없이 서버에 SSH를 통해 연결할 수 있습니다.
질문 이 문제를 어떻게 해결할 수 있나요? 내가 말할 수있는 한
- :방화벽에서는 443이 허용됩니다
- :443은 :8443으로 리디렉션됩니다.
- 노드가 :8443을 듣고 있습니다.
sudo ufw status
To Action From
-- ------ ----
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
sudo iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 9477 packets, 1121K bytes)
pkts bytes target prot opt in out source destination
1413K 59M REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 8443
Chain INPUT (policy ACCEPT 6826 packets, 410K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 74 packets, 6925 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 74 packets, 6925 bytes)
pkts bytes target prot opt in out source destination
sudo netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 108911/systemd-reso
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 112287/sshd
tcp 0 0 0.0.0.0:1022 0.0.0.0:* LISTEN 125785/sshd
tcp6 0 0 :::22 :::* LISTEN 112287/sshd
tcp6 0 0 :::8443 :::* LISTEN 125414/node
tcp6 0 0 :::1022 :::* LISTEN 125785/sshd
sudo iptables -L -nv
Chain INPUT (policy DROP 120 packets, 30108 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
381K 34M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
998 94467 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
8163 1107K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
54M 15G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2892K 172M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5873 packets, 874K bytes)
pkts bytes target prot opt in out source destination
Chain ufw-after-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-logging-deny (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-not-local (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (0 references)
pkts bytes target prot opt in out source destination
답변1
ufw를 다시 시작하세요.
sudo systemctl restart ufw
iptables 출력에는 ufw에 의해 추가된 대부분의 규칙이 누락된 것으로 표시됩니다. 이는 ufw가 계속 실행되는 동안 테이블(예: sudo iptables -F)을 수동으로 플러시하여 발생합니다. 물론 ufw의 규칙도 플러시하고 많은 손상을 일으킬 수 있지만 임의의 인터넷 튜토리얼에서는 그렇게 하라고 지시합니다.