GCP中的ufw防火墙

Question

我在 Google Cloud 中有一个虚拟机，我正在尝试通过 TCP 端口 8890 连接到它。 我已经在 GCP 中设置了防火墙规则，所以问题出在 VM 防火墙上。

我使用 Debian 10 作为操作系统并且我已经安装了 ufw。 ufw status 命令的输出是：

Status: active

    To                         Action      From
    --                         ------      ----
    22/tcp                     ALLOW       Anywhere
    
    2222                       ALLOW       Anywhere
    21                         ALLOW       Anywhere
    Nginx Full                 ALLOW       Anywhere
    21/tcp                     ALLOW       Anywhere
    49152:65535/tcp            ALLOW       Anywhere
    5432                       ALLOW       Anywhere
    8890                       ALLOW       Anywhere
    8890/tcp                   ALLOW       Anywhere
    8890/udp                   ALLOW       Anywhere
    Anywhere                   ALLOW       127.0.0.1
    22/tcp (v6)                ALLOW       Anywhere (v6)
    2222 (v6)                  ALLOW       Anywhere (v6)
    21 (v6)                    ALLOW       Anywhere (v6)
    Nginx Full (v6)            ALLOW       Anywhere (v6)
    21/tcp (v6)                ALLOW       Anywhere (v6)
    49152:65535/tcp (v6)       ALLOW       Anywhere (v6)
    5432 (v6)                  ALLOW       Anywhere (v6)
    8890 (v6)                  ALLOW       Anywhere (v6)
    8890/tcp (v6)              ALLOW       Anywhere (v6)
    8890/udp (v6)              ALLOW       Anywhere (v6)

但如果尝试telnet localhost 8890：

正在尝试 ::1... 正在尝试 127.0.0.1... telnet：无法连接到远程主机：连接被拒绝

netstat -tulpn | grep LISTEN 命令的输出是：

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      614/nginx: master p
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      607/sshd
tcp        0      0 0.0.0.0:5432            0.0.0.0:*               LISTEN      561/postgres
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      614/nginx: master p
tcp6       0      0 :::80                   :::*                    LISTEN      614/nginx: master p
tcp6       0      0 :::21                   :::*                    LISTEN      433/vsftpd
tcp6       0      0 :::22                   :::*                    LISTEN      607/sshd
tcp6       0      0 :::5432                 :::*                    LISTEN      561/postgres
tcp6       0      0 :::443                  :::*                    LISTEN      614/nginx: master p

Answer 1

这是来自 Google Cloud 的日志 JSON：

{
insertId: "1m9sozhg3119gk8"
jsonPayload: {
connection: {
dest_ip: "10.132.0.2"
dest_port: 8890
protocol: 6
src_ip: "194.158.251.129"
src_port: 61330
}
disposition: "ALLOWED"
instance: {
project_id: "quokka-319212"
region: "europe-west1"
vm_name: "mkb-quokka"
zone: "europe-west1-b"
}
remote_location: {
continent: "Europe"
country: "che"
region: "Ticino"
}
rule_details: {
action: "ALLOW"
direction: "INGRESS"
ip_port_info: [
0: {
ip_protocol: "TCP"
port_range: [
0: "8890"
]
}
]
priority: 100
reference: "network:default/firewall:port-8890"
source_range: [
0: "0.0.0.0/0"
]
}
vpc: {
project_id: "quokka-319212"
subnetwork_name: "default"
vpc_name: "default"
}
}
logName: "projects/quokka-319212/logs/compute.googleapis.com%2Ffirewall"
receiveTimestamp: "2021-08-11T12:54:47.345480725Z"
resource: {
labels: {
location: "europe-west1-b"
project_id: "quokka-319212"
subnetwork_id: "4380110765229239135"
subnetwork_name: "default"
}
type: "gce_subnetwork"
}
timestamp: "2021-08-11T12:54:41.981790820Z"
}

确认问题出在远程而不是在 Google Cloud 防火墙中

Answer 2

这是预期的行为。为了看到

tcp 0 0 0.0.0.0:8890 0.0.0.0:*

执行以下操作

1 apt-get install python # install python
2 python -m SimpleHTTPServer 8890 # server listening on port 8890
3 Open a new window #wheel top right corner > new connection to instance
4 netstat -tulpn | grep LISTEN

原因： 如果服务或其他程序实际上正在侦听该端口上的传入连接，netstat 只会显示该端口。