如果netstat中没有列出一个服务器如何接受端口443的传入流量?
如果netstat中没有列出一个服务器如何接受端口443的传入流量?
提问于 2020-05-07 02:40:40
我有一个目前正在接受HTTPS请求的服务器,在netstat -plnt中唯一显示的是:
elijahlynn@web:~$ sudo netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 10.218.108.1:53 0.0.0.0:* LISTEN 10242/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1111/sshd
tcp6 0 0 fd42:9324:ab98:50fb::53 :::* LISTEN 10242/dnsmasq
tcp6 0 0 fe80::c024:c5ff:fe68:53 :::* LISTEN 10242/dnsmasq
tcp6 0 0 :::22 :::* LISTEN 1111/sshd sudo lsof -i :443也没有返回任何内容。
我也尝试过ss工具的变体,但是没有运气能看到任何声音。
此服务器使用iptables将流量转发到LXC "haproxy“容器,但据我所知,操作系统首先需要将端口绑定到dameon或应用程序。事实上,这并没有显示任何端口处于侦听状态,但仍然提供通信服务,这对我理解事情是如何工作的来说是很困难的。
有没有可能让一个程序在端口上监听而不是用netstat、lsof或ss显示呢?
更新:
elijahlynn@web:~$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:domain /* generated for LXD network lxdbr0 */
ACCEPT udp -- anywhere anywhere udp dpt:domain /* generated for LXD network lxdbr0 */
ACCEPT udp -- anywhere anywhere udp dpt:bootps /* generated for LXD network lxdbr0 */
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere /* generated for LXD network lxdbr0 */
ACCEPT all -- anywhere anywhere /* generated for LXD network lxdbr0 */
ACCEPT all -- anywhere 10.0.0.0/8 state NEW,RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:domain /* generated for LXD network lxdbr0 */
ACCEPT udp -- anywhere anywhere udp spt:domain /* generated for LXD network lxdbr0 */
ACCEPT udp -- anywhere anywhere udp spt:bootps /* generated for LXD network lxdbr0 */UPDATE2:
elijahlynn@web:~$ sudo ss -lptn | column -t
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 32 10.218.108.1:53 *:* users:(("dnsmasq",pid=10242,fd=9))
LISTEN 0 128 *:22 *:* users:(("sshd",pid=1111,fd=3))
LISTEN 0 32 fd42:9324:ab98:50fb::1:53 :::* users:(("dnsmasq",pid=10242,fd=13))
LISTEN 0 32 fe80::c024:c5ff:fe68:999e%lxdbr0:53 :::* users:(("dnsmasq",pid=10242,fd=11))
LISTEN 0 128 :::22 :::* users:(("sshd",pid=1111,fd=4)) UPDATE3:
elijahlynn@web:~$ sudo lsof -i -n | column -t
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sshd 1111 root 3u IPv4 786 0t0 TCP *:ssh (LISTEN)
sshd 1111 root 4u IPv6 788 0t0 TCP *:ssh (LISTEN)
dnsmasq 10242 lxd 4u IPv4 343469983 0t0 UDP *:bootps
dnsmasq 10242 lxd 6u IPv6 343469985 0t0 UDP *:dhcpv6-server
dnsmasq 10242 lxd 8u IPv4 343469988 0t0 UDP 10.218.108.1:domain
dnsmasq 10242 lxd 9u IPv4 343469989 0t0 TCP 10.218.108.1:domain (LISTEN)
dnsmasq 10242 lxd 10u IPv6 343469990 0t0 UDP [fe80::c024:c5ff:fe68:999e]:domain
dnsmasq 10242 lxd 11u IPv6 343469991 0t0 TCP [fe80::c024:c5ff:fe68:999e]:domain (LISTEN)
dnsmasq 10242 lxd 12u IPv6 343469992 0t0 UDP [fd42:9324:ab98:50fb::1]:domain
dnsmasq 10242 lxd 13u IPv6 343469993 0t0 TCP [fd42:9324:ab98:50fb::1]:domain (LISTEN)回答 3
Server Fault用户
发布于 2020-05-07 03:47:14
iptables可以对交通做很多伏都教--寻找一条重定向规则。而且LXC可以用不同的网络命名空间- ip netns list -进一步混浊水。
[root@r510-main ~]# ip -all netns exec netstat -plnt
netns: qrouter-a0291178-a7d9-4419-a47e-47d8bdfe6fa2
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9697 0.0.0.0:* LISTEN 11202/haproxy
netns: qdhcp-4addb334-d787-4d0c-a1bf-d3696c67cb15
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 11190/dnsmasq
tcp6 0 0 ::1:53 :::* LISTEN 11190/dnsmasq
tcp6 0 0 fd00:...:1200:f81:53 :::* LISTEN 11190/dnsmasq
tcp6 0 0 fe80::...fe9a:53 :::* LISTEN 11190/dnsmasq
netns: qdhcp-0c964c4d-3cd3-415b-9f42-61206fff0328
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 11186/dnsmasq
tcp 0 0 172.24.18.2:53 0.0.0.0:* LISTEN 11186/dnsmasq
tcp6 0 0 ::1:53 :::* LISTEN 11186/dnsmasq
tcp6 0 0 fd00:...:12ff:f81:53 :::* LISTEN 11186/dnsmasq
tcp6 0 0 fe80::...fe88:53 :::* LISTEN 11186/dnsmasq然而,从dom-0 lsof -n -P -i :53没有返回任何信息。
[root@r510-main ~]# lsof -n -P -i :53
[root@r510-main ~]# ip -all netns exec lsof -n -P -i :53
netns: qrouter-a0291178-a7d9-4419-a47e-47d8bdfe6fa2
netns: qdhcp-4addb334-d787-4d0c-a1bf-d3696c67cb15
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dnsmasq 11190 nobody 4u IPv4 105932 0t0 UDP 127.0.0.1:53
dnsmasq 11190 nobody 5u IPv4 105933 0t0 TCP 127.0.0.1:53 (LISTEN)
dnsmasq 11190 nobody 6u IPv6 105934 0t0 UDP [fe80::...:fe9a:9bd2]:53
dnsmasq 11190 nobody 7u IPv6 105935 0t0 TCP [fe80::...:fe9a:9bd2]:53 (LISTEN)
dnsmasq 11190 nobody 8u IPv6 105936 0t0 UDP [fd00:...:9bd2]:53
dnsmasq 11190 nobody 9u IPv6 105937 0t0 TCP [fd00:...:9bd2]:53 (LISTEN)
dnsmasq 11190 nobody 10u IPv6 105938 0t0 UDP [::1]:53
dnsmasq 11190 nobody 11u IPv6 105939 0t0 TCP [::1]:53 (LISTEN)
netns: qdhcp-0c964c4d-3cd3-415b-9f42-61206fff0328
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dnsmasq 11186 nobody 6u IPv4 94770 0t0 UDP 172.24.18.2:53
dnsmasq 11186 nobody 7u IPv4 94771 0t0 TCP 172.24.18.2:53 (LISTEN)
dnsmasq 11186 nobody 8u IPv4 94772 0t0 UDP 127.0.0.1:53
dnsmasq 11186 nobody 9u IPv4 94773 0t0 TCP 127.0.0.1:53 (LISTEN)
dnsmasq 11186 nobody 10u IPv6 94774 0t0 UDP [fe80::...:fe88:a0b5]:53
dnsmasq 11186 nobody 11u IPv6 94775 0t0 TCP [fe80::...:fe88:a0b5]:53 (LISTEN)
dnsmasq 11186 nobody 12u IPv6 94776 0t0 UDP [fd00:...:fe88:a0b5]:53
dnsmasq 11186 nobody 13u IPv6 94777 0t0 TCP [fd00:...:fe88:a0b5]:53 (LISTEN)
dnsmasq 11186 nobody 14u IPv6 94778 0t0 UDP [::1]:53
dnsmasq 11186 nobody 15u IPv6 94779 0t0 TCP [::1]:53 (LISTEN)Server Fault用户
发布于 2020-05-07 03:33:58
也许您希望使用nmap来扫描服务器上的端口,下面是一个示例:
$ nmap -p443 ip-address
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 04:33 a/B
Nmap scan report for some IP
Host is up (0.011s latency).
PORT STATE SERVICE
443/tcp open https
Nmap done: 1 IP address (1 host up) scanned in 2.45 secondsServer Fault用户
发布于 2022-04-19 16:46:12
检查nat表中是否有任何内容:sudo iptables -t nat -L
过滤器表是原始输出中显示的唯一内容,而如果iptables将443重定向到当前的某个侦听端口,则它将位于NAT表中。
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/1016031
复制相关文章
相似问题
腾讯云开发者
