问题描述

总而言之，尽管我设置了允许tcp:80的防火墙规则，但位于默认"网络上的我的GCE实例不接受与端口80的连接.看来我的端口仅打开了22实例.我可以对其进行ping操作，但在64跳以下时无法跟踪到它.

In summary, although I've set a firewall rule that allows tcp:80, my GCE instance, which is on the "default" network, is not accepting connections to port 80. It appears only port 22 is open on my instance. I can ping it, but can't traceroute to it in under 64 hops.

接下来是我的调查，这些调查使我得出了这些结论.

What follows is my investigation that led me to those conclusions.

gcloud beta compute firewall-rules list

NAME                    NETWORK  DIRECTION  PRIORITY  ALLOW                         DENY
default-allow-http      default  INGRESS    1000      tcp:80
default-allow-https     default  INGRESS    1000      tcp:443
default-allow-icmp      default  INGRESS    65534     icmp
default-allow-internal  default  INGRESS    65534     tcp:0-65535,udp:0-65535,icmp
default-allow-rdp       default  INGRESS    65534     tcp:3389
default-allow-ssh       default  INGRESS    65534     tcp:22
temp                    default  INGRESS    1000      tcp:8888


gcloud compute instances list
NAME   ZONE        MACHINE_TYPE  PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP    STATUS
ssrf3  us-west1-c  f1-micro      true         10.138.0.4   35.197.33.182  RUNNING


gcloud compute instances describe ssrf3
...
name: ssrf3
networkInterfaces:
- accessConfigs:
  - kind: compute#accessConfig
    name: external-nat
    natIP: 35.197.33.182
    type: ONE_TO_ONE_NAT
  kind: compute#networkInterface
  name: nic0
  network: https://www.googleapis.com/compute/v1/projects/hack-170416/global/networks/default
  networkIP: 10.138.0.4
  subnetwork: https://www.googleapis.com/compute/v1/projects/hack-170416/regions/us-west1/subnetworks/default
...
tags:
  fingerprint: 6smc4R4d39I=
  items:
  - http-server
  - https-server

我将ssh放入35.197.33.182(这是ssrf3实例)并运行:

I ssh into 35.197.33.182 (which is the ssrf3 instance) and run:

sudo nc -l -vv -p 80

在我的本地计算机上，运行:

On my local machine, I run:

nc 35.197.33.182 80 -vv
hey

但是什么也没发生.因此，我尝试对主机执行ping操作.看起来很健康:

but nothing happens.So I try to ping the host. That looks healthy:

ping 35.197.33.182
PING 35.197.33.182 (35.197.33.182): 56 data bytes
64 bytes from 35.197.33.182: icmp_seq=0 ttl=57 time=69.172 ms
64 bytes from 35.197.33.182: icmp_seq=1 ttl=57 time=21.509 ms

Traceroute在经过64跳后退出，但未到达35.197.33.182目标.

Traceroute quits after 64 hops, without reaching the 35.197.33.182 destination.

所以我检查了使用nmap打开的端口:

So I check which ports are open with nmap:

nmap 35.197.33.182

Starting Nmap 7.12 ( https://nmap.org ) at 2017-06-18 16:39 PDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.06 seconds



nmap 35.197.33.182 -Pn

Starting Nmap 7.12 ( https://nmap.org ) at 2017-06-18 16:39 PDT
Nmap scan report for 182.33.197.35.bc.googleusercontent.com (35.197.33.182)
Host is up (0.022s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 6.84 seconds

…即使我在35.197.33.182上运行nc -l -p 80.

… even when I’m running nc -l -p 80 on 35.197.33.182.

推荐答案

确保VM级别的防火墙没有介入.例如，与所有其他默认映像相比，Container-Optimized OS有点特殊:

Ensure that VM level firewall is not intervening. For example, Container-Optimized OS is a bit special in comparison to all other default images:

https://cloud.google.com/container- Optimized-os/docs/how-to/firewall

这篇关于尽管有防火墙规则，仍无法连接到Google Cloud Compute实例上的端口80的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！