请有人帮我这个!我现在真的很难挣几个小时。不知道该怎么做,到处搜索每一页,仍然没有解决方案。
我有一个Python脚本,它侦听端口443(https - TCP)。它通过此端口接收JSON POST消息。问题是它没有从外部主机接收任何东西,只能从它自己接收。我的意思是,当我使用来自外部主机的POSTMAN模拟POST时,它永远不会回答:
(我用' y.y.y.y'我的服务器IP屏蔽了我的脚本中的一个令牌&x 39x xxxx')
但是当我从我自己的服务器内部发送完全相同的东西时,它完美地工作。从我自己的服务器内部发送的代码:
[root@rrpump bot]# curl -v -k -X POST -H "Content-Type: application/json" -H "Cache-Control: no-cache" -d '{
> "update_id":10000,
> "message":{
> "date":1441645532,
> "chat":{
> "last_name":"Test Lastname",
> "id":1111111,
> "type": "private",
> "first_name":"Test Firstname",
> "username":"Testusername"
> },
> "message_id":1365,
> "from":{
> "last_name":"Test Lastname",
> "id":1111111,
> "first_name":"Test Firstname",
> "username":"Testusername"
> },
> "text":"/start"
> }
> }' "https://y.y.y.y/xxxx"
成功的回应:
* About to connect() to y.y.y.y port 443 (#0)
* Trying y.y.y.y...
* Connected to y.y.y.y (y.y.y.y) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* subject: CN=y.y.y.y 1,O=Example Brooklyn Company,L=Brooklyn,ST=New York,C=US
* start date: Mar 06 13:54:03 2018 GMT
* expire date: Mar 06 13:54:03 2019 GMT
* common name: y.y.y.y
* issuer: CN=y.y.y.y,O=Example Brooklyn Company,L=Brooklyn,ST=New York,C=US
> POST /xxxx HTTP/1.1
> User-Agent: curl/7.29.0
> Host: y.y.y.y
> Accept: */*
> Content-Type: application/json
> Cache-Control: no-cache
> Content-Length: 392
>
* upload completely sent off: 392 out of 392 bytes
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Server: WebhookHandler/1.0 Python/3.6.4
< Date: Tue, 06 Mar 2018 16:52:55 GMT
<
* Closing connection 0
已经检查过是否真的在该端口收听:
[root@rrpump bot]# lsof -i:443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
python3.6 30644 root 8u IPv4 2785755157 0t0 TCP *:https (LISTEN)
已经检查过iptables(最后一次&#39; ACCEPT&#39;行):
[root@rrpump bot]# iptables --list
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
all -- anywhere anywhere
tcp -- anywhere anywhere
tcp -- anywhere anywhere tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere tcp dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere tcp dpt:https
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
防火墙也已停用:
[root@rrpump bot]# firewall-cmd --permanent --add-port=443/tcp
FirewallD is not running
我正在使用美国hostinger VPS服务器CENTOS 7 64位运行它。我忘记在这里查看什么?!
答案 0 :(得分:2)
在iptables规则中,您的脚本有accept
个规则符合reject
规则。它们永远不会被使用,因为它们以相同的顺序检查iptables列表它们。因此内核首先找到匹配的reject
规则。您必须将iptables -I
规则移至表格末尾,或将其移至顶部(使用iptables -A
插入,而不是reject
追加)。
或者删除reject
规则,并将输入链的默认政策设置为drop
或iptables --list
。
另请注意,内核级别的所有表总是有一些规则(至少是默认策略)。因此,通过禁用某些系统守护程序,您不必使主机对所有连接都敞开。如果不确定,请务必参考/etc/hosts.allow
。
哦,还有一个较旧的解决方案,用于根据文件/etc/hosts.deny
和application/json
的内容接受/拒绝TCP连接。请检查一个是否允许与443的连接,另一个是否拒绝。