înregistrare Logare
Puncte:0
Rafael Emshoff avatar Server

SSH works, ping and https get no response

drapel cn
Rafael Emshoff

Background: I'm trying to configure an ubuntu server to run a node.js application with https. I previously had everything working fine with http (configured a year ago), and I wanted to open the firewall for :443 and redirect it to :8443:

sudo ufw allow 443/tcp
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443

When trying out my app, it turned out the https request didn't register with the app (nothing in the app-logs, and browser never gets a response to the request). When I ping the server, I also don't get a response (it doesn't even time out). My cloud provider dashboard also states that it can't ping the server, and the cloud provider firewall config also says 443 is allowed for all tcp. ... But, I can still ssh onto the server without an issue.

Question How can I troubleshoot this? As far as I can tell

  • :443 is allowed on the firewall
  • :443 redirects to :8443
  • node is listening to :8443
    sudo ufw status
    To                         Action      From
    --                         ------      ----
    80/tcp                     ALLOW       Anywhere                  
    443/tcp                    ALLOW       Anywhere                  
    80/tcp (v6)                ALLOW       Anywhere (v6)             
    443/tcp (v6)               ALLOW       Anywhere (v6)


    sudo iptables -t nat -L -n -v
    Chain PREROUTING (policy ACCEPT 9477 packets, 1121K bytes)
    pkts bytes target     prot opt in     out     source               destination         
    1413K   59M REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 8080
        0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 8080
        0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 8080
        0     0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 8080
        0     0 REDIRECT   tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 8080
        0     0 REDIRECT   tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 redir ports 8443

    Chain INPUT (policy ACCEPT 6826 packets, 410K bytes)
     pkts bytes target     prot opt in     out     source               destination         

    Chain OUTPUT (policy ACCEPT 74 packets, 6925 bytes)
     pkts bytes target     prot opt in     out     source               destination         

    Chain POSTROUTING (policy ACCEPT 74 packets, 6925 bytes)
     pkts bytes target     prot opt in     out     source               destination


    sudo netstat -ntlp
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
    tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      108911/systemd-reso 
    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      112287/sshd         
    tcp        0      0 0.0.0.0:1022            0.0.0.0:*               LISTEN      125785/sshd         
    tcp6       0      0 :::22                   :::*                    LISTEN      112287/sshd         
    tcp6       0      0 :::8443                 :::*                    LISTEN      125414/node         
    tcp6       0      0 :::1022                 :::*                    LISTEN      125785/sshd


sudo iptables -L -nv
Chain INPUT (policy DROP 120 packets, 30108 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443
 381K   34M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443
  998 94467 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080
 8163 1107K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  54M   15G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2892K  172M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 5873 packets, 874K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-after-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-before-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-logging-allow (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-logging-deny (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-not-local (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-reject-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-skip-to-policy-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-skip-to-policy-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-skip-to-policy-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-track-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443

Chain ufw-user-limit (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-limit-accept (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-forward (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-input (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-logging-output (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain ufw-user-output (0 references)
 pkts bytes target     prot opt in     out     source               destination
291
1 + 5
drapel jp
Dom
Vă rugăm să adăugați rezultatul comenzii „iptables -L -nv”. ICMP poate fi blocat. Ar trebui să adăugați jurnalele când un pachet este aruncat: va ajuta la diagnosticarea problemei.
0
Răspunde
Rafael Emshoff avatar
drapel cn
Rafael Emshoff
S-a adăugat rezultatul comenzii. Cum „adaug jurnalele când un pachet este aruncat”? Acestea sunt jurnalele de firewall? Verific asta pentru ICMP https://askubuntu.com/questions/6995/how-to-enable-ufw-firewall-to-allow-icmp-response
0
Răspunde
Rafael Emshoff avatar
drapel cn
Rafael Emshoff
ICMP pare activat. `-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT`
0
Răspunde
Rafael Emshoff avatar
drapel cn
Rafael Emshoff
Întrebări similare: https://serverfault.com/questions/311612/ping-fails-but-ssh-succeeds https://serverfault.com/questions/392704/ssh-connection-refused-with-out-iptables-rulles?rq=1
0
Răspunde
Martin avatar
drapel kz
Martin
Aș schimba REDIRECT-ul din PREROUTING în DNAT: https://serverfault.com/questions/179200/difference-beetween-dnat-and-redirect-in-iptables
0
Răspunde
Puncte:0
Michael Hampton avatar Server
drapel cz
Michael Hampton

Reporniți ufw.

sudo systemctl restart ufw

Ieșirea dvs. iptables arată că majoritatea regulilor adăugate de ufw lipsesc. Acest lucru este cauzat de spălarea manuală a meselor (de ex. sudo iptables -F) în timp ce ufw încă rulează, ceva care, desigur, va șterge regulile ufw și va cauza multe încălcări, dar tutorialele aleatorii de pe Internet vă vor spune să faceți.

0 + 0
drapel romania
SEF 777
întrebarea această in alte limbi:

Postează un răspuns

Majoritatea oamenilor nu înțeleg că a pune multe întrebări deblochează învățarea și îmbunătățește legătura interpersonală. În studiile lui Alison, de exemplu, deși oamenii își puteau aminti cu exactitate câte întrebări au fost puse în conversațiile lor, ei nu au intuit legătura dintre întrebări și apreciere. În patru studii, în care participanții au fost implicați în conversații ei înșiși sau au citit transcrieri ale conversațiilor altora, oamenii au avut tendința să nu realizeze că întrebarea ar influența – sau ar fi influențat – nivelul de prietenie dintre conversatori.