场景
在服务器接收端使用tcpdump抓包,排查服务上层无法接收到报文的问题。显示发送数据包发送失败:
Internet Control Message Protocol Type: 3 (Destination unreachable) Code: 10 (Host administratively prohibited)
分析
1)通过lsof -i:5060说明上层服务在监听消息,使用的是UDP协议
[root@taishan-atlas ~]# lsof -i:5060 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME cvos_sip_ 15132 root 13u IPv4 464525 0t0 UDP taishan-atlas:sip
2)发送端ping服务器是正常的
3)查看防火墙的配置
[root@localhost opt]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
4)通过抓包可以看到发送的数据包直接被防火墙丢弃了,通过firewall-cmd --list-ports指令发现,开放的端口是TCP协议的,不是UDP协议的,导致的问题,通过开放端口,指定协议UDP,解决问题
firewall-cmd --zone=public --add-port=5060/udp --permanent