Networking

使用靜態 IP 的“沒有到主機的路由”。可以ping通

  • March 20, 2018

我剛剛從 DigitalOcean 配置了一個新伺服器。除了將 ssh 埠從 22 更改為 2202 之外,我認為我沒有對伺服器的網路配置進行任何更改,但是突然之間我無法通過 ssh 進入伺服器。我最初能夠在埠 2202 上使用 ssh 登錄幾次

請讓我知道這個問題是否有更好的 StackExchange

$ ssh -p 2202 user@159.89.x.x     
ssh: connect to host 159.89.x.x port 2202: No route to host

我可以ping伺服器

$ ping 159.89.x.x    
PING 159.89.x.x (159.89.x.x) 56(84) bytes of data.
64 bytes from 159.89.x.x: icmp_seq=1 ttl=56 time=30.0 ms
64 bytes from 159.89.x.x: icmp_seq=2 ttl=56 time=29.7 ms
64 bytes from 159.89.x.x: icmp_seq=3 ttl=56 time=29.9 ms

--- 159.89.x.x ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 29.756/29.932/30.083/0.134 ms

我關閉了除乙太網連接之外的所有網路配置

$ ifconfig 

eth0      Link encap:Ethernet  HWaddr 90:2b:34:d6:e1:d5  
         inet addr:192.168.0.8  Bcast:192.168.0.255  Mask:255.255.255.0
         inet6 addr: fe80::737e:c4b0:f37c:ab45/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:7449 errors:0 dropped:0 overruns:0 frame:0
         TX packets:139088 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000 
         RX bytes:6762469 (6.7 MB)  TX bytes:9333612 (9.3 MB)
         Interrupt:18 

lo        Link encap:Local Loopback  
         inet addr:127.0.0.1  Mask:255.0.0.0
         inet6 addr: ::1/128 Scope:Host
         UP LOOPBACK RUNNING  MTU:65536  Metric:1
         RX packets:1180 errors:0 dropped:0 overruns:0 frame:0
         TX packets:1180 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1 
         RX bytes:109431 (109.4 KB)  TX bytes:109431 (109.4 KB)

這是跟踪路由

$ traceroute 159.89.x.x
traceroute to 159.89.x.x (159.89.x.x), 30 hops max, 60 byte packets
1  192.168.0.1 (192.168.0.1)  0.455 ms  0.613 ms  0.802 ms
2  hlrn-dsl-gw09.hlrn.qwest.net (207.225.x.x)  3.641 ms  3.833 ms  4.532 ms
3  hlrn-agw1.inet.qwest.net (71.217.x.x)  4.763 ms  4.733 ms  4.734 ms
4  dvr3-brdr-01.inet.qwest.net (208.168.x.x)  4.911 ms  5.347 ms  5.131 ms
5  den-b1-link.telia.net (213.248.93.94)  5.336 ms  5.327 ms  5.764 ms
6  sjo-b21-link.telia.net (213.155.133.171)  33.313 ms  29.887 ms  29.980 ms
7  digitalocean-ic-318773-sjo-b21.c.telia.net (62.115.149.7)  29.570 ms digitalocean-ic-306499-sjo-b21.c.telia.net (62.115.45.22)  30.931 ms  30.938 ms
8  159.89.x.x (159.89.x.x)  29.617 ms !X  29.838 ms !X  29.614 ms !X

nmap就是說的(我對如何有效地使用nmap非常不熟悉)

$ nmap 159.89.x.x

Starting Nmap 7.01 ( https://nmap.org ) at 2018-03-20 09:34 MDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 0.08 seconds

$ nmap -Pn 159.89.x.x

Starting Nmap 7.01 ( https://nmap.org ) at 2018-03-20 09:35 MDT
Nmap scan report for 159.89.x.x
Host is up (0.59s latency).
Not shown: 999 filtered ports
PORT   STATE  SERVICE
22/tcp closed ssh

$ nmap -Pn 159.89.x.x -p 2202  

Starting Nmap 7.01 ( https://nmap.org ) at 2018-03-20 12:56 MDT
Nmap scan report for 159.89.x.x
Host is up (0.036s latency).
PORT     STATE    SERVICE
2202/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

從 DigitalOcean 控制台(目前訪問機器的唯一方法),我能夠成功8.8.8.8curl -vL google.comping

同樣來自 DO 控制台,

(myserver)$ ip route

default via 159.89.128.1 dev eth0
10.46.0.0/16 dev eth0 proto kernel scope link src 10.46.0.5
159.89.128.0/20 dev eth0 proto kernel scope link src 159.89.x.x

由於我無法從 DO 控制台複製/粘貼,這是一張圖片sudo iptables -nvL INPUT

<code>sudo iptables -nvL INPUT</code> 的輸出

您忘記在防火牆中打開埠。您需要這樣做,例如,因為您使用的是 firewalld:

firewall-cmd --add-port=2202/tcp

一旦它開始工作,就讓它成為永久的。

聽起來您可能有一個iptables衝突阻塞埠2202。嘗試此過程作為測試,看看您是否可以重新獲得訪問權限:

iptables-save > ~/iptables.save
iptables -F

然後在 port 上重新嘗試 SSH 2202。如果這可行,您的防火牆規則需要調整,如果它不起作用,請確保您也沒有與 Digital Ocean 防火牆發生衝突。

要恢復規則,請執行以下命令:

iptables-restore < ~/iptables.save

引用自:https://serverfault.com/questions/903649