背景: 我正在嘗試配置 ubuntu 伺服器來使用 https 運行 node.js 應用程式。我之前使用 http 一切正常(一年前配置),我想打開 :443 的防火牆並將其重定向到 :8443:
sudo ufw allow 443/tcp
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443
嘗試我的應用程式時,結果發現 https 請求未在應用程式中註冊(應用程式日誌中沒有任何內容,瀏覽器永遠不會收到對該請求的回應)。當我 ping 伺服器時,我也沒有得到回應(甚至沒有超時)。我的雲端供應商儀表板也指出它無法 ping 伺服器,並且雲端提供者防火牆配置也表明所有 tcp 都允許使用 443。 ……但是,我仍然可以毫無問題地連接到伺服器。
問題 我該如何解決這個問題?據我所知
- :防火牆允許 443
- :443 重定向到 :8443
- 節點正在監聽:8443
sudo ufw status
To Action From
-- ------ ----
80/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
sudo iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 9477 packets, 1121K bytes)
pkts bytes target prot opt in out source destination
1413K 59M REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
0 0 REDIRECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
0 0 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 8443
Chain INPUT (policy ACCEPT 6826 packets, 410K bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 74 packets, 6925 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 74 packets, 6925 bytes)
pkts bytes target prot opt in out source destination
sudo netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 108911/systemd-reso
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 112287/sshd
tcp 0 0 0.0.0.0:1022 0.0.0.0:* LISTEN 125785/sshd
tcp6 0 0 :::22 :::* LISTEN 112287/sshd
tcp6 0 0 :::8443 :::* LISTEN 125414/node
tcp6 0 0 :::1022 :::* LISTEN 125785/sshd
sudo iptables -L -nv
Chain INPUT (policy DROP 120 packets, 30108 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
381K 34M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8443
998 94467 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8080
8163 1107K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
54M 15G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2892K 172M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5873 packets, 874K bytes)
pkts bytes target prot opt in out source destination
Chain ufw-after-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-after-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-before-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-logging-allow (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-logging-deny (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-not-local (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-reject-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-skip-to-policy-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-track-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-input (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain ufw-user-limit (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-limit-accept (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-forward (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-input (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-logging-output (0 references)
pkts bytes target prot opt in out source destination
Chain ufw-user-output (0 references)
pkts bytes target prot opt in out source destination
答案1
重新啟動ufw。
sudo systemctl restart ufw
您的 iptables 輸出顯示 ufw 新增的大部分規則都遺失了。這是由於在 ufw 仍在運行時手動刷新表(例如sudo iptables -F)造成的,這當然也會刷新 ufw 的規則並導致大量損壞,但隨機的 Internet 教程會告訴您這樣做。