绑定 0.0.0.0 的网络服务，无法通过局域网 IP 访问，可能是什么原因导致的？

V2EX = way to explore

V2EX 是一个关于分享和探索的地方

现在注册

已注册用户请登录

V2EX 提问指南

这是一个创建于 1471 天前的主题，其中的信息可能已经有所发展或是发生改变。

如题，脑阔疼。

一个服务出了问题需要本地测试，

系统环境 ubuntu18.04 ，

部署方案是 nginx -> gunicorn -> flask，没过 nginx 之前是不需要域名就可以访问的。

========================

目前测试反映如下:

1 、本地访问 127.0.0.1:4433，服务正常

2 、本地执行 ifconfig，确认局域网 IP 为 192.168.0.10 （ SSH 是通过这个 IP 连上的，这里只是确认一下）

3 、执行 wget 192.168.0.10:4433 得到结果 failed:connection refused

4 、怀疑是不是防火墙拦截，直接关闭防火墙 ufw disable

5 、执行 wget 192.168.0.10:4433 得到结果 failed:connection refused，结果没有改变

6 、默认系统镜像，装机后没有单独配置过防火墙，防火墙应该本来就是关闭的

比较懵，有没有带佬知道可能是什么原因导致的

第 1 条附言 · 2020-10-26 12:40:59 +08:00

贴条，根据v友提示，查看了iptables规则和selinux，未发现影响局域网访问的选项，命令返回内容如下。

iptables查看规则列表如下

root@gui_ubuntu:~# iptables -vnL
Chain INPUT (policy ACCEPT 318 packets, 24587 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 750K   12G ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  36M 1865G ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3306
  595 39160 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
  417 30218 ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  417 30218 ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  416 30178 ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  401 28495 ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  401 28495 ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  401 28495 ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0

第 2 条附言 · 2020-10-26 12:42:11 +08:00

接上文
```
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ufw-before-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-before-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-after-logging-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-reject-forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ufw-track-forward all -- * * 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 35542 packets, 94M bytes)
pkts bytes target prot opt in out source destination
42680 96M ufw-before-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
42680 96M ufw-before-output all -- * * 0.0.0.0/0 0.0.0.0/0
35571 94M ufw-after-output all -- * * 0.0.0.0/0 0.0.0.0/0
35571 94M ufw-after-logging-output all -- * * 0.0.0.0/0 0.0.0.0/0
35571 94M ufw-reject-output all -- * * 0.0.0.0/0 0.0.0.0/0
35571 94M ufw-track-output all -- * * 0.0.0.0/0 0.0.0.0/0

Chain ufw-after-forward (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-after-input (1 references)
pkts bytes target prot opt in out source destination

Chain ufw-after-logging-forward (1 references)
pkts bytes target prot opt in out source destination

以下重复若干行

```

第 3 条附言 · 2020-10-26 12:42:41 +08:00

cat /etc/selinux/config命令提示文件不存在，查看/etc/selinux下有唯一文件semanage.conf 内容如下：

root@gui_ubuntu:/etc/selinux# cat semanage.conf 
# Authors: Jason Tang <[email protected]>
#
# Copyright (C) 2004-2005 Tresys Technology, LLC
#
#  This library is free software; you can redistribute it and/or
#  modify it under the terms of the GNU Lesser General Public
#  License as published by the Free Software Foundation; either
#  version 2.1 of the License, or (at your option) any later version.
#
#  This library is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
#  Lesser General Public License for more details.
#
#  You should have received a copy of the GNU Lesser General Public
#  License along with this library; if not, write to the Free Software
#  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
#
# Specify how libsemanage will interact with a SELinux policy manager.
# The four options are:
#
#  "source"     - libsemanage manipulates a source SELinux policy
#  "direct"     - libsemanage will write directly to a module store.
#  /foo/bar     - Write by way of a policy management server, whose
#                 named socket is at /foo/bar.  The path must begin
#                 with a '/'.
#  foo.com:4242 - Establish a TCP connection to a remote policy
#                 management server at foo.com.  If there is a colon
#                 then the remainder is interpreted as a port number;
#                 otherwise default to port 4242.
module-store = direct

第 4 条附言 · 2020-10-26 12:42:57 +08:00

接上文

# When generating the final linked and expanded policy, by default
# semanage will set the policy version to POLICYDB_VERSION_MAX, as
# given in <sepol/policydb.h>.  Change this setting if a different
# version is necessary.
#policy-version = 19

# expand-check check neverallow rules when executing all semanage commands.
# Large penalty in time if you turn this on.
expand-check=0

# By default, semanage will generate policies for the SELinux target.
# To build policies for Xen, uncomment the following line.
#target-platform = xen

===

顺便吐槽，ubuntu18.04自带drop 3306端口的吗，这台机器应该是没装过mysql的，也是惊了。

第 5 条附言 · 2020-10-26 15:25:58 +08:00

贴条 netstat -antp

root@gui_ubuntu:~# netstat -antp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      25486/smbd             
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      190606/php-fpm: mas 
tcp        0      0 192.168.0.10:22         0.0.0.0:*               LISTEN      1550/sshd           
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      25486/smbd          
tcp        0      0 127.0.0.1:4433          0.0.0.0:*               LISTEN      195998/python3.8    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      1007/systemd-resolv     
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      198990/sshd: wwwusr 
tcp        0      0 192.168.0.10:63210      192.168.0.113:14926     ESTABLISHED 198896/sshd: wwwusr 
tcp        0      0 192.168.0.10:34680      192.168.0.113:445       ESTABLISHED -                   
tcp        0      0 192.168.0.10:47338      192.168.0.113:3306      ESTABLISHED 196002/python3.8    
tcp        0      0 192.168.0.10:47330      192.168.0.113:3306      ESTABLISHED 196001/python3.8    
tcp        0      0 192.168.0.10:47332      192.168.0.113:3306      ESTABLISHED 196001/python3.8    
tcp        0      0 192.168.0.10:47336      192.168.0.113:3306      ESTABLISHED 196004/python3.8    
tcp        0    108 192.168.0.10:59060      65.47.201.117:7000      ESTABLISHED 199044/frpc         
tcp        0      0 192.168.0.10:47334      192.168.0.113:3306      ESTABLISHED 196002/python3.8

第 6 条附言 · 2020-10-26 15:26:15 +08:00

接上

tcp        0      0 192.168.0.10:63210      192.168.0.10:38406      ESTABLISHED 199822/sshd: wwwusr 
tcp        0      0 192.168.0.10:47328      192.168.0.113:3306      ESTABLISHED 196003/python3.8    
tcp        0      0 192.168.0.10:47326      192.168.0.113:3306      ESTABLISHED 196003/python3.8    
tcp        0      0 192.168.0.10:47340      192.168.0.113:3306      ESTABLISHED 196004/python3.8    
tcp6       0      0 :::445                  :::*                    LISTEN      25486/smbd          
tcp6       0      0 :::139                  :::*                    LISTEN      25486/smbd          
tcp6       0      0 :::5678                 :::*                    LISTEN      194568/caddy              
tcp6       0      0 ::1:6010                :::*                    LISTEN      198990/sshd: wwwusr 
root@gui_ubuntu:~#

文中公网IP经过了修改。

netstat看，端口4433的服务绑在127.0.0.1上，发现了盲点。

但是gunicorn启动命令确实是0.0.0.0，我用的gunicorn启动命令如下：

gunicorn -w 10 guiapp_gunicorn:pmain --bind 0.0.0.0:4433 --error-logfile - --worker-class sync

192.168.0.10

防火墙

connectino

Nginx

21 条回复 • 2020-10-26 18:25:06 +08:00

Jammar

2020-10-26 08:52:20 +08:00

ip 白名单

Cooky

2020-10-26 08:54:20 +08:00 via Android

iptables ？

black11black

2020-10-26 08:56:39 +08:00

@Cooky
@Jammar ubuntu 的 iptables 是通过 ufw 管理的吧，我 ufw 关了应该 iptalbes 清空吧？不太了解，感觉是这样

black11black

2020-10-26 08:57:36 +08:00

另外贴个条，各位最近有没有炸 cn2 的情况啊，坐标北方联通连搬瓦工 cn2，丢包贼严重

weyou

2020-10-26 09:06:48 +08:00 via Android

关闭 selinux 试试

BigOldBrother

2020-10-26 09:33:39 +08:00

@black11black #3 应该不是的，我搭网页的时候遇到过跟你一样的问题，ufw 关闭了防火墙，但是 iptables 里边有一条规则`6 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited`会导致所有访问都被 Reject 。可以使用`iptables -L INPUT --line-numbers`找到这一行，然后运行`iptables -D INPUT {行号}`删除这一行即可。我这边系统重启之后会自动恢复，对 iptables 不太了解，而且也不经常重启就没有解决这个问题。