centos7 - 端口打开时 telnet 超时

Question

我买了一个 VPS 并在上面构建了一个 shadowsocks 服务器。它运行了大约 2 个月，但突然无法工作，即我无法使用它克服 GFW。所以我检查了服务器，重新安装了所有东西，检查了防火墙，但仍然无法解决问题。请帮我解决这个难题！

首先，我可以 ssh 到服务器。我使用的是mac，服务器操作系统是CentOS7。

我试图从 mac ping 服务器，它可以连接。

PING vultr (108.61.215.163): 56 data bytes
64 bytes from 108.61.215.163: icmp_seq=0 ttl=50 time=485.473 ms
64 bytes from 108.61.215.163: icmp_seq=1 ttl=50 time=407.054 ms
64 bytes from 108.61.215.163: icmp_seq=2 ttl=50 time=429.089 ms
64 bytes from 108.61.215.163: icmp_seq=3 ttl=50 time=552.046 ms
^C
--- vultr ping statistics ---
5 packets transmitted, 4 packets received, 20.0% packet loss
round-trip min/avg/max/stddev = 407.054/468.416/552.046/56.118 ms

然后我使用我在 shadowsocks 中定义的特定端口远程登录它，但它无法连接。

# telnet 108.61.216.163 8754
Trying 108.61.215.163...
telnet: connect to address 108.61.215.163: Operation timed out
telnet: Unable to connect to remote host

所以从服务器我检查netstat：

 # netstat -anltp
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3253/sshd           
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      3498/master         
tcp        0      0 108.61.215.163:8754     0.0.0.0:*               LISTEN      3652/python         
tcp        0      0 108.61.215.163:22       218.92.1.158:45819      SYN_RECV    -                   
tcp        0     21 108.61.215.163:22       150.162.11.207:43510    ESTABLISHED 3847/sshd: [accepte 
tcp        0      0 108.61.215.163:22       58.49.194.24:55529      ESTABLISHED 3793/sshd: root@pts 
tcp        0   1281 108.61.215.163:22       218.92.1.158:19746      FIN_WAIT1   -                   
tcp        0   1280 108.61.215.163:22       36.156.24.99:50400      ESTABLISHED 3843/sshd: [accepte 
tcp        0      0 108.61.215.163:8754     58.49.194.24:56578      SYN_RECV    -                   
tcp6       0      0 :::22                   :::*                    LISTEN      3253/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      3498/master

端口是 8754，PID3652 是我的 shadowsocks 服务。

我还检查了我的防火墙设置，并且端口 8754 是打开的，

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: dhcpv6-client ssh http https
  ports: 8754/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
    rule family="ipv4" port port="8754" protocol="tcp" accept

我还检查了 iptables，这是返回的内容：

# iptables -xvn -L
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
     349    31354 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       0        0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
      63     2928 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      63     2928 INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      63     2928 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       1       44 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
      47     1972 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
       0        0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
       0        0 FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 FORWARD_IN_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 FORWARD_OUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
       0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 408 packets, 71561 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
     410    71641 OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_IN_ZONES (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 FWDI_public  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           [goto] 
       0        0 FWDI_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FORWARD_OUT_ZONES (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 FWDO_public  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           [goto] 
       0        0 FWDO_public  all  --  *      +       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FORWARD_direct (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FWDI_public (2 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 FWDI_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 FWDI_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 FWDI_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDI_public_allow (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FWDI_public_deny (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FWDI_public_log (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FWDO_public (2 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 FWDO_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 FWDO_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 FWDO_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDO_public_allow (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FWDO_public_deny (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FWDO_public_log (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain INPUT_ZONES (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
      61     2800 IN_public  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           [goto] 
       2      128 IN_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain INPUT_direct (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain IN_public (2 references)
    pkts      bytes target     prot opt in     out     source               destination         
      63     2928 IN_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      63     2928 IN_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      63     2928 IN_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_public_allow (1 references)
    pkts      bytes target     prot opt in     out     source               destination         
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8754 ctstate NEW
      15      912 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 ctstate NEW
       0        0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8754 ctstate NEW

Chain IN_public_deny (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain IN_public_log (1 references)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT_direct (1 references)
    pkts      bytes target     prot opt in     out     source               destination

我不知道该检查什么或现在该做什么...请指教...非常感谢！

score 0 · Accepted Answer

看起来SYN数据包（新连接）已收到，但连接仍然存在。

tcp        0      0 108.61.215.163:8754     58.49.194.24:56578      SYN_RECV    -

我认为这意味着防火墙允许新连接（SYN）。另一种验证方法是暂时禁用 firewalld 并尝试连接/代理。如果它仍然不起作用，那么您应该检查shadowsocks服务。

centos7 - 端口打开时 telnet 超时

1 回答 1

Related

Reference