Networking
ssh 無法建立連接
我有幾台機器連接在同一個網路上:
- 答:134.157.xxx.xxx
- B: 134.157.yyy.yyy
- C: 134.157.zzz.zzz
我的問題是A無法再連接到C。但是:
- A 可以 ssh 到 A 和 B
- B 可以 ssh 到 A 和 B 和 C
- C 可以 ssh 到 A 和 B 和 C
以下是 A 的一些命令輸出:
~$ telnet 134.157.zzz.zzz 22 Trying 134.157.zzz.zzz... telnet: Unable to connect to remote host: Connection timed out
~$ ping 134.157.zzz.zzz PING 134.157.zzz.zzz (134.157.zzz.zzz) 56(84) bytes of data. 64 bytes from 134.157.zzz.zzz: icmp_seq=1 ttl=64 time=0.283 ms 64 bytes from 134.157.zzz.zzz: icmp_seq=2 ttl=64 time=0.315 ms 64 bytes from 134.157.zzz.zzz: icmp_seq=3 ttl=64 time=0.314 ms ^C --- 134.157.zzz.zzz ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2082ms rtt min/avg/max/mdev = 0.283/0.304/0.315/0.014 ms
~$ ssh -vvv 134.157.zzz.zzz OpenSSH_7.6p1 Ubuntu-4ubuntu0.3, OpenSSL 1.0.2n 7 Dec 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug2: resolving "134.157.zzz.zzz" port 22 debug2: ssh_connect_direct: needpriv 0 debug1: Connecting to 134.157.zzz.zzz [134.157.zzz.zzz] port 22. debug1: connect to address 134.157.zzz.zzz port 22: Connection timed out ssh: connect to host 134.157.zzz.zzz port 22: Connection timed out
它以前已經工作過,沒有更改配置文件,重新啟動 A 不會改變任何內容。
我應該如何調查?
$$ edit $$
# on C ~$ tcpdump src 134.157.xxx.xxx -vv -i eno3 ~$ tcpdump src 134.157.yyy.yyy -vv -i eno3 # on A ~$ ssh 134.157.zzz.zzz # on B ~$ ssh 134.157.zzz.zzz
只有在 B 上啟動的命令才會在 C 上給出輸出。
$$ /edit $$
$$ second edit $$
# on A ~$ tcpdump -vv -i any dst 134.157.zzz.zzz tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 12:32:18.609219 IP (tos 0x0, ttl 64, id 24010, offset 0, flags [DF], proto TCP (6), length 60) AAA.33648 > 134.157.zzz.zzz.ssh: Flags [S], cksum 0xf9fc (correct), seq 3301194634, win 64240, options [mss 1460,sackOK,TS val 2209953097 ecr 0,nop,wscale 7], length 0 12:32:19.628185 IP (tos 0x0, ttl 64, id 24011, offset 0, flags [DF], proto TCP (6), length 60) AAA.33648 > 134.157.zzz.zzz.ssh: Flags [S], cksum 0xf601 (correct), seq 3301194634, win 64240, options [mss 1460,sackOK,TS val 2209954116 ecr 0,nop,wscale 7], length 0 12:32:21.676188 IP (tos 0x0, ttl 64, id 24012, offset 0, flags [DF], proto TCP (6), length 60) AAA.33648 > 134.157.zzz.zzz.ssh: Flags [S], cksum 0xee01 (correct), seq 3301194634, win 64240, options [mss 1460,sackOK,TS val 2209956164 ecr 0,nop,wscale 7], length 0 # and so on until timeout
$$ /second edit $$
$$ third edit $$
# on A ~$ arp -an # contains 134.157.zzz.zzz with correct hardware address ~$ arp -d 134.157.yyy.yyy # success ~$ arp -d 134.157.zzz.zzz # error (see below) SIOCDARP(dontpub): Network is unreachable # on C ~$ arp -an # does not contain 134.157.xxx.xxx ~$ arp -s 134.157.xxx.xxx aa:aa:aa:aa:aa:aa # adds it, but solves nothing ~$
$$ /third edit $$
$$ fourth edit $$
# After a while running # tcpdump -vv -i any dst 134.157.zzz.zzz # on A, I finally got 13:19:09.716711 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 134.157.zzz.zzz tell 134.157.mmm.mmm, length 46 13:23:55.162747 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 134.157.zzz.zzz tell 134.157.nnn.nnn, length 46 13:29:59.119983 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 134.157.zzz.zzz tell 134.157.nnn.nnn, length 46 # which is strange...
$$ /fourth edit $$
我終於找到了問題:A 上的網路遮罩錯誤(255.255.255.128 而不是 255.255.255.0)。我們可能在更新網路時錯過了這一點。
由於 ICMP 在 A 和 C 之間工作,因此此問題可能發生在堆棧的較高層上。由於 B 可以到達 C,因此不太可能在應用層。
我的猜測是防火牆限制。
為了驗證,我將使用 tcpdump 或類似工具來查看接收和發送的數據包 - 從 C 上的 tcpdump 開始,查看它是否從 A 接收數據包,然後向後工作。