无法在外部主机

时间:2018-03-06 20:12:57

标签: python ssl tcp centos iptables

请有人帮我这个!我现在真的很难挣几个小时。不知道该怎么做,到处搜索每一页,仍然没有解决方案。

我有一个Python脚本,它侦听端口443(https - TCP)。它通过此端口接收JSON POST消息。问题是它没有从外部主机接收任何东西,只能从它自己接收。我的意思是,当我使用来自外部主机的POSTMAN模拟POST时,它永远不会回答:

(我用' y.y.y.y'我的服务器IP屏蔽了我的脚本中的一个令牌&x 39x xxxx')

didnt receive

但是当我从我自己的服务器内部发送完全相同的东西时,它完美地工作。从我自己的服务器内部发送的代码:

[root@rrpump bot]# curl -v -k -X POST -H "Content-Type: application/json" -H "Cache-Control: no-cache"  -d '{
> "update_id":10000,
> "message":{
>   "date":1441645532,
>   "chat":{
>      "last_name":"Test Lastname",
>      "id":1111111,
>      "type": "private",
>      "first_name":"Test Firstname",
>      "username":"Testusername"
>   },
>   "message_id":1365,
>   "from":{
>      "last_name":"Test Lastname",
>      "id":1111111,
>      "first_name":"Test Firstname",
>      "username":"Testusername"
>   },
>   "text":"/start"
> }
> }' "https://y.y.y.y/xxxx"

成功的回应:

* About to connect() to y.y.y.y port 443 (#0)
*   Trying y.y.y.y...
* Connected to y.y.y.y (y.y.y.y) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=y.y.y.y 1,O=Example Brooklyn Company,L=Brooklyn,ST=New York,C=US
*       start date: Mar 06 13:54:03 2018 GMT
*       expire date: Mar 06 13:54:03 2019 GMT
*       common name: y.y.y.y
*       issuer: CN=y.y.y.y,O=Example Brooklyn Company,L=Brooklyn,ST=New York,C=US
> POST /xxxx HTTP/1.1
> User-Agent: curl/7.29.0
> Host: y.y.y.y
> Accept: */*
> Content-Type: application/json
> Cache-Control: no-cache
> Content-Length: 392
>
* upload completely sent off: 392 out of 392 bytes
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Server: WebhookHandler/1.0 Python/3.6.4
< Date: Tue, 06 Mar 2018 16:52:55 GMT
<
* Closing connection 0

已经检查过是否真的在该端口收听:

[root@rrpump bot]# lsof -i:443
COMMAND     PID USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
python3.6 30644 root    8u  IPv4 2785755157      0t0  TCP *:https (LISTEN)

已经检查过iptables(最后一次&#39; ACCEPT&#39;行):

[root@rrpump bot]# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited
           all  --  anywhere             anywhere
           tcp  --  anywhere             anywhere
           tcp  --  anywhere             anywhere             tcp dpt:pcsync-https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pcsync-https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere             reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

防火墙也已停用:

[root@rrpump bot]# firewall-cmd --permanent --add-port=443/tcp
FirewallD is not running

我正在使用美国hostinger VPS服务器CENTOS 7 64位运行它。我忘记在这里查看什么?!

1 个答案:

答案 0 :(得分:2)

在iptables规则中,您的脚本有accept个规则符合reject规则。它们永远不会被使用,因为它们以相同的顺序检查iptables列表它们。因此内核首先找到匹配的reject规则。您必须将iptables -I规则移至表格末尾,或将其移至顶部(使用iptables -A插入,而不是reject追加)。 或者删除reject规则,并将输入链的默认政策设置为dropiptables --list

另请注意,内核级别的所有表总是有一些规则(至少是默认策略)。因此,通过禁用某些系统守护程序,您不必使主机对所有连接都敞开。如果不确定,请务必参考/etc/hosts.allow

哦,还有一个较旧的解决方案,用于根据文件/etc/hosts.denyapplication/json的内容接受/拒绝TCP连接。请检查一个是否允许与443的连接,另一个是否拒绝。