Warm tip: This article is reproduced from serverfault.com, please click
google-compute-engine

其他-尽管有防火墙规则,仍无法连接到Google Cloud Compute实例上的端口80

(其他 - Can't connect to port 80 on Google Cloud Compute instance despite firewall rule)

发布于 2017-06-19 00:18:18

总之,尽管我设置了允许tcp:80的防火墙规则,但是位于“默认”网络上的GCE实例不接受与端口80的连接。看来我的实例上仅打开了端口22。我可以对其进行ping操作,但在64跳以下无法跟踪到它。

接下来的是我的调查,这些调查使我得出了这些结论。

gcloud beta compute firewall-rules list

NAME                    NETWORK  DIRECTION  PRIORITY  ALLOW                         DENY
default-allow-http      default  INGRESS    1000      tcp:80
default-allow-https     default  INGRESS    1000      tcp:443
default-allow-icmp      default  INGRESS    65534     icmp
default-allow-internal  default  INGRESS    65534     tcp:0-65535,udp:0-65535,icmp
default-allow-rdp       default  INGRESS    65534     tcp:3389
default-allow-ssh       default  INGRESS    65534     tcp:22
temp                    default  INGRESS    1000      tcp:8888


gcloud compute instances list
NAME   ZONE        MACHINE_TYPE  PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP    STATUS
ssrf3  us-west1-c  f1-micro      true         10.138.0.4   35.197.33.182  RUNNING


gcloud compute instances describe ssrf3
...
name: ssrf3
networkInterfaces:
- accessConfigs:
  - kind: compute#accessConfig
    name: external-nat
    natIP: 35.197.33.182
    type: ONE_TO_ONE_NAT
  kind: compute#networkInterface
  name: nic0
  network: https://www.googleapis.com/compute/v1/projects/hack-170416/global/networks/default
  networkIP: 10.138.0.4
  subnetwork: https://www.googleapis.com/compute/v1/projects/hack-170416/regions/us-west1/subnetworks/default
...
tags:
  fingerprint: 6smc4R4d39I=
  items:
  - http-server
  - https-server

我将ssh放入35.197.33.182(这是ssrf3实例)并运行:

sudo nc -l -vv -p 80

在本地计算机上,我运行:

nc 35.197.33.182 80 -vv
hey

但什么也没发生。因此,我尝试对主机执行ping操作。看起来很健康:

ping 35.197.33.182 
PING 35.197.33.182 (35.197.33.182): 56 data bytes
64 bytes from 35.197.33.182: icmp_seq=0 ttl=57 time=69.172 ms
64 bytes from 35.197.33.182: icmp_seq=1 ttl=57 time=21.509 ms

Traceroute经过64跳后退出,但未到达35.197.33.182目标。

因此,我检查了使用nmap打开的端口:

nmap 35.197.33.182

Starting Nmap 7.12 ( https://nmap.org ) at 2017-06-18 16:39 PDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.06 seconds



nmap 35.197.33.182 -Pn

Starting Nmap 7.12 ( https://nmap.org ) at 2017-06-18 16:39 PDT
Nmap scan report for 182.33.197.35.bc.googleusercontent.com (35.197.33.182)
Host is up (0.022s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 6.84 seconds

…即使我nc -l -p 80以35.197.33.182运行

Questioner
Rose Perrone
Viewed
11
分享
PrecariousJimi 2017-06-19 18:04:38

确保虚拟机级防火墙没有介入。例如,与所有其他默认映像相比,Container-Optimized OS有点特殊:

默认情况下,容器优化的OS主机防火墙仅允许传出连接,并且仅通过SSH服务接受传入的连接。要在容器优化的OS实例上接受传入连接,必须打开服务正在侦听的端口。

https://cloud.google.com/container-optimized-os/docs/how-to/firewall

Jack Davidson 2019-03-07 03:48:20

在搜寻Google一段时间后,我花了5个小时查看我真正简单的防火墙规则。谢谢你

热门帖子

1
学英语的朋友们可以来看看 https://langplayground.top/
2
华中科大的计算机技术的在职硕士,职场认可度如何?
3
十兆宽带 100 块钱一个月我是活在 80 年代吗?
4
关于高质量 屏幕共享的问题
5
我是真的受不了打小报告的三八了!
6
怎么管理自己的文件体系
7
[开发者自荐] AirBattery: 在 Mac 端获取所有设备的电量并显示在 Dock 或状态栏上
8
南京移动 IPV6 被停
9
WireGuard 跨国组网失败后,一个新工具的诞生
10
你的 IDEA(2024.1) 在 macOS 上崩吗?

热门github

1
A multi-platform library for OpenGL, OpenGL ES, Vulkan, window and input (翻译:适用于 OpenGL、OpenGL ES、Vulkan、窗口和输入的多平台库)
2
Dev tool that writes scalable apps from scratch while the developer oversees the implementation (翻译:可扩展开发工具的 PoC,该工具从头开始编写整个应用程序,同时开发人员监督实施)
3
shadcn/ui, but for Svelte. ✨ (翻译:shadcn-svelte是shadcn/ui的非官方社区主导的Svelte端口。)
4
The Python Risk Identification Tool for generative AI (PyRIT) is an open access automation framework to empower security professionals and machine learning engineers to proactively find risks in their generative AI systems. (翻译:用于生成式 AI 的 Python 风险识别工具 (PyRIT) 是一个开放式访问自动化框架,使安全专业人员和机器学习工程师能够主动发现其生成式 AI 系统中的风险。)
5
Performance-portable, length-agnostic SIMD with runtime dispatch (翻译:Highway 是一个提供可移植 SIMD/向量内在函数的 C++ 库。)
6
ZK Credo (翻译:ZK信条)
7
OpenCodeInterpreter: Integrating Code Generation with Execution and Refinement (翻译:OpenCodeInterpreter:将代码生成与执行和优化集成)
8
Joplin - the secure note taking and to-do app with synchronisation capabilities for Windows, macOS, Linux, Android and iOS. (翻译:Joplin - 一个开源的笔记和待办事项应用程序,具有Windows,macOS,Linux,Android和iOS的同步功能。)
9
Mamba is a new state space model architecture showing promising performance on information-dense data such as language modeling, where previous subquadratic models fall short of Transformers. It is based on the line of progress on structured state space models, with an efficient hardware-aware design and implementation in the spirit of FlashAttention. (翻译:Mamba 是一种新的状态空间模型架构,在信息密集型数据(例如语言建模)上显示出良好的性能,而之前的二次模型在 Transformers 方面存在不足。它基于结构化状态空间模型的进展,并本着FlashAttention的精神进行高效的硬件感知设计和实现。)
10
This repository contains System Design resources which are useful while preparing for interviews and learning Distributed Systems (翻译:该存储库包含系统设计资源,在准备面试和学习分布式系统时非常有用)
11
Curso para aprender el lenguaje de programación Python desde cero y para principiantes. 75 clases, 37 horas en vídeo, código, proyectos y grupo de chat. Fundamentos, frontend, backend, testing, IA... (翻译:从零开始学习 Python 编程语言的课程,适合初学者)
12
🎓 Path to a free self-taught education in Computer Science! (翻译:🎓计算机科学免费自学教程!)
13
1️⃣🐝🏎️ The One Billion Row Challenge -- A fun exploration of how quickly 1B rows from a text file can be aggregated with Java (翻译:十亿行挑战 —— 使用 Java 对文本文件中的 10 亿行数据进行聚合的有趣探索)
14
A collective list of free APIs (翻译:免费 API 的集合列表)
15
📚 Freely available programming books (翻译:📚 免费提供的编程书籍)