New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

【已解决】连接不上服务器,Error: connect ETIMEDOUT 。 #133

Closed
ilvsx opened this Issue Jun 20, 2014 · 43 comments

Comments

Projects
None yet
@ilvsx
Copy link

ilvsx commented Jun 20, 2014

结果

vps默认防火墙设置导致,问题虽解决,还需多学习……


服务端

新开的vultr日本节点vps,系统CentOS 6 x64。按照说明安装

yum install m2crypto python-setuptools
easy_install pip
pip install shadowsocks

创建配置文件/etc/shadowsocks.json并编辑

ssserver -c /etc/shadowsocks.json

配置文件内容,测试用,IP不匿名了

[root@vultr ~]# cat /etc/shadowsocks.json
{
"server":"108.61.126.208",
"server_port":8388,
"local_address": "127.0.0.1",
"local_port":1080,
"password":"sakuya",
"timeout":300,
"method":"aes-256-cfb",
"fast_open": false,
"workers": 1
}

启动shadowsocks

[root@vultr ~]# ssserver -c /etc/shadowsocks.json
shadowsocks 2.0.6
2014-06-20 04:25:34 INFO starting server at 108.61.126.208:8388

本地客户端

用的是shadowsocks-gui-0.4.1-win-ia32,配置如下:

{
      "server": "108.61.126.208",
      "server_port": "8388",
      "password": "sakuya",
      "local_port": "1080",
      "method": "aes-256-cfb",
      "timeout": "300"
}

浏览器是chrome,SwitchySharp插件,设置的socksv5,127.0.0.1,1080

问题

我认为我的配置和操作没有问题,不知道什么原因,就是连接不上,一直Error: connect ETIMEDOUT,排除本地端口限制,因为之前一直在用别人的ss服务,端口也是8388。
如果觉得方便的话,我可以新开一个vps,把账号密码ip发给你。

尝试检测

发现服务端ss的端口是打开的

[root@vultr ~]# netstat -tunpl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 880/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 966/master

tcp 0 0 108.61.126.208:8388 0.0.0.0:* LISTEN 1263/python

tcp 0 0 :::22 :::* LISTEN 880/sshd
tcp 0 0 ::1:25 :::* LISTEN 966/master
udp 0 0 108.61.126.208:123 0.0.0.0:* 888/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 888/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 888/ntpd

udp 0 0 108.61.126.208:8388 0.0.0.0:* 1263/python

udp 0 0 fe80::5054:ff:fe05:cde1:123 :::* 888/ntpd
udp 0 0 ::1:123 :::* 888/ntpd
udp 0 0 :::123 :::* 888/ntpd

但是客户端机器用tcping(tcping测试22端口没问题):

Probing 108.61.126.208:8388/tcp - No response - time=2004.751ms 
Probing 108.61.126.208:8388/tcp - No response - time=2000.428ms 
Probing 108.61.126.208:8388/tcp - No response - time=2000.683ms 
Probing 108.61.126.208:8388/tcp - No response - time=2001.352ms 

Ping statistics for 108.61.126.208:8388
     4 probes sent. 
     0 successful, 4 failed.
Was unable to connect, cannot provide trip statistics.
@clowwindy

This comment has been minimized.

Copy link
Contributor

clowwindy commented Jun 20, 2014

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8388

然后用 443 来访问看看

@ilvsx

This comment has been minimized.

Copy link
Author

ilvsx commented Jun 20, 2014

问题依旧……tcping测试443端口仍然No response

@clowwindy

This comment has been minimized.

Copy link
Contributor

clowwindy commented Jun 20, 2014

在 VPS 上 tcping 一下呢

@clowwindy

This comment has been minimized.

Copy link
Contributor

clowwindy commented Jun 20, 2014

CentOS 好像默认开了防火墙,可以加入相应规则再看看

@clowwindy clowwindy added the question label Jun 20, 2014

@ilvsx

This comment has been minimized.

Copy link
Author

ilvsx commented Jun 20, 2014

VPS开启ss服务的时候,vps上的tcping显示ss服务端对应的端口是开启的……我看看防火墙规则。
排除本地防火墙或者ISP限制,因为用别人的ss服务,同端口都没问题。

@clowwindy

This comment has been minimized.

Copy link
Contributor

clowwindy commented Jun 20, 2014

服务器的防火墙。我知道 EC2 默认是除了 22 全部屏蔽的,不是的 vultr 怎么样。

@ilvsx

This comment has been minimized.

Copy link
Author

ilvsx commented Jun 20, 2014

回复居然是即时显示的!我没刷新网页诶……
linux的防火墙还没学……临时翻了下鸟哥的书,感觉好复杂,只好把目前的table的规则列出来,你看看:

[root@vultr ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
@ilvsx

This comment has been minimized.

Copy link
Author

ilvsx commented Jun 20, 2014

要不要我新开一个VPS,root和密码ip给你,有空的话帮我看看?感觉这样更容易解决问题,我这边知识不足可能表述的不全。

@clowwindy

This comment has been minimized.

Copy link
Contributor

clowwindy commented Jun 20, 2014

用 iptables -F 把规则清掉。
如果你在翻鸟哥的书的阶段,建议还是用 Debian 吧。

@ilvsx

This comment has been minimized.

Copy link
Author

ilvsx commented Jun 20, 2014

谢谢建议~
规则清除掉也不行QAQ,状况依旧,以前在linode和日本樱花上都搭ss都木有问题的说(果然最近脸黑没救了……)

@clowwindy

This comment has been minimized.

Copy link
Contributor

clowwindy commented Jun 20, 2014

再 ptables -L 看看呢

@ilvsx

This comment has been minimized.

Copy link
Author

ilvsx commented Jun 20, 2014

这是规则清除掉了的状态吧……

[root@vultr ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
@clowwindy

This comment has been minimized.

Copy link
Contributor

clowwindy commented Jun 20, 2014

再加上 iptables -A INPUT -p tcp –dport 443 -j ACCEPT 看看呢

@ilvsx

This comment has been minimized.

Copy link
Author

ilvsx commented Jun 20, 2014

[root@vultr ~]# iptables -A INPUT -p tcp –dport 443 -j ACCEPT
Bad argument `–dport'
Try `iptables -h' or 'iptables --help' for more information.

对照前面的,把-dport前面加上-

[root@vultr ~]#  iptables -A INPUT -p tcp -–dport 443 -j ACCEPT
iptables v1.4.7: option `-p' requires an argument
Try `iptables -h' or 'iptables --help' for more information.
@clowwindy

This comment has been minimized.

Copy link
Contributor

clowwindy commented Jun 20, 2014

sorry,

iptables -A INPUT -p tcp --dport 8388 -j ACCEPT

@ilvsx

This comment has been minimized.

Copy link
Author

ilvsx commented Jun 20, 2014

GOOD JOB!可以用了~
这么说来就是防火墙的问题了……

@ilvsx ilvsx changed the title 【未解决】连接不上服务器,Error: connect ETIMEDOUT 。 【已解决】连接不上服务器,Error: connect ETIMEDOUT 。 Jun 20, 2014

@clowwindy clowwindy closed this Jun 20, 2014

@maxmoce

This comment has been minimized.

Copy link

maxmoce commented Dec 11, 2015

我来挖个坟,是否在接受端口accept命令之前必须先使用-f的清除命令?我是新建了一个vultr的ss服务器,也是一直连上了打不开网页,谢谢了。

@dongqisheng520

This comment has been minimized.

Copy link

dongqisheng520 commented Dec 15, 2015

我在vultr上 用ubuntu可以用shadow socks,用centos就不可以,看到也是防火墙的问题了。

@andylin2008

This comment has been minimized.

Copy link

andylin2008 commented Jan 10, 2016

我也遇到了楼主的问题,也怀疑是防火墙的问题,按照帖子中clowwindy 的方法添加了防火墙规则,但是还是不能连接,
重启防火墙iptables:
service iptables restart
后,
再查看iptables -L -n
发现,原来添加的规则又不见了!
运行service iptables save保存后,发现规则不会丢了,但是SS客户端还是不能连接VPS
请大神指教!
一怒之下iptables -F 删掉了所有规则。
于是可以了!!!

@maxmoce

This comment has been minimized.

Copy link

maxmoce commented Mar 1, 2016

其实我也没有规则了,只要清零之后就行了,不用太在意这个的
2016年1月10日 下午4:53,"andylin2008" notifications@github.com写道:

我也遇到了楼主的问题,也怀疑是防火墙的问题,按照帖子中clowwindy 的方法添加了防火墙规则,但是还是不能连接,
重启防火墙iptables:
service iptables restart
后,
再查看iptables -L -n
发现,原来添加的规则又不见了!
请大神指教!


Reply to this email directly or view it on GitHub
#133 (comment)
.

@James0112

This comment has been minimized.

Copy link

James0112 commented Apr 16, 2016

找了大半天终于找到这里,debian 8.1 下设置了 iptables,直接添加 ss-server 端口无果,直接 iptables -F删掉所有规则也不行,再 iptables 加上 ss-server 端口居然可以了,感谢!

@yanzi1225627

This comment has been minimized.

Copy link

yanzi1225627 commented May 21, 2016

防火墙规则不要全清,CentOS7的话修改/etc/firewalld/zones目录下的public.xml文件,把端口写进去,如增加1000端口:

 <port protocol="tcp" port="1000"/>
  <port protocol="udp" port="1000"/>

保存后,运行:firewall-cmd --complete-reload就行了。

@yanzi1225627

This comment has been minimized.

Copy link

yanzi1225627 commented May 21, 2016

不想直接vim public.xml的,也可以直接通过以后命令添加:

# firewall-cmd --zone=public --add-port=6022/tcp --permanent
# firewall-cmd --zone=public --add-port=6022/udp --permanent

以上在CentOS7上完全没问题。

@James0112

This comment has been minimized.

Copy link

James0112 commented Jun 2, 2016

今天再重新试了下,在已有旧的 iptable 规则下,用如下类似语句添加端口还是不能成功访问:
sudo iptables -I INPUT 9 -p tcp --dport 12368 -j ACCEPT

但是全新写一份 iptable ruleset 覆盖旧的后,却是能成功使用端口扶墙的
PS: 系统 Debian 8.1,防火墙还是保留的好

@lee199111

This comment has been minimized.

Copy link

lee199111 commented Jun 7, 2016

问题解决了,相当感谢!!!

@muyexi

This comment has been minimized.

Copy link

muyexi commented Jul 7, 2016

我也碰到这个问题了,报错“getpeername: Invalid argument”

@yjd

This comment has been minimized.

Copy link

yjd commented Jul 14, 2016

centos6.7 同遇到连不上,测试半天总算找到问题。出在默认这条规则。
Chain INPUT
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
//拒绝所有其他不符合上述任何一条规则的数据包。并且发送一条host prohibited的消息给被拒绝的主机
//查看规则序号
iptables -L -n --line-numbe
//删除第x条
iptables -D INPUT 5 //我这里第五
//保存规则
service iptables save
//重启下iptables
service iptables restart

//服务器建议开iptables

@lty96117

This comment has been minimized.

Copy link

lty96117 commented Aug 29, 2016

CentOS 7 里面的firewalld使用 # firewall-cmd --zone=public --add-port=6022/tcp --permanent可以开启单个端口,
但是我配置sspanel时需要多个用户端口,想请教大家怎样才能使firewalld统一自动放行这些sspanel用户端口呢?

@mlieou

This comment has been minimized.

Copy link

mlieou commented Sep 4, 2016

给后来人:
修改iptables规则后别忘了保存,
service iptables save

@yeweishuai

This comment has been minimized.

Copy link

yeweishuai commented Oct 31, 2016

清空后解决
sudo iptables -F

@huadi016

This comment has been minimized.

Copy link

huadi016 commented Jan 14, 2017

iptables -F 解决了。谢谢前面的各位

@huangyanxiong01

This comment has been minimized.

Copy link

huangyanxiong01 commented Mar 14, 2017

我清了防火墙,关了防火墙,关了selinux

tcping xx.xx.xxx.xx 8878

还是超时,怎么解决

@JamesHT

This comment has been minimized.

Copy link

JamesHT commented Apr 9, 2017

我的是 linode vps,server 填外部ip 开端口无效,server 改成 0.0.0.0,重新用 iptables 开一下端口后解决。
FYI.

@tomifisking

This comment has been minimized.

Copy link

tomifisking commented Apr 17, 2017

REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

问题就是出在这条,添加完端口之后用yjd的方法亲测有效。谢谢!

@weigaow

This comment has been minimized.

Copy link

weigaow commented Jun 8, 2017

sudo iptables -F 后解决,非常感谢。

@Cinux-Chosan

This comment has been minimized.

Copy link

Cinux-Chosan commented Jul 19, 2017

我在 Centos 7上面安装 ss-qt5,然后也是一直能连接上,但是测试延迟闪了一下就显示错误。最后的操作:选择文件菜单 -》 导出为gui-config.json -》 然后随便改了一下,比如把 shareOverLan 改为 true -》从 gui-config.json 导入连接,然后连接和测试延迟都成功了,如果连接不上退出 ss-qt5重新连接就解决了。但是最后我把配置文件还原了,再导入,依然可以。但是最初的那一个还是连接不上,所以我就把它删了。虽然没测试,但是按道理导出来然后再导入就可以,如果不行也改改吧。再不行就可能是防火墙的问题了。

@bluesone

This comment has been minimized.

Copy link

bluesone commented Aug 4, 2017

也是遇到防火墙规则稳定导致time out, 规则中增加一条(xxxx换成自己设置的端口或端口段,格式xxxx:yyyy)
-A INPUT -p tcp -m state --state NEW -m tcp --dport xxxx -j ACCEPT

@echoyinke

This comment has been minimized.

Copy link

echoyinke commented Aug 25, 2017

我是Fedora请了防火墙就可以的一直不知道是为什么,之前。

@yangszz

This comment has been minimized.

Copy link

yangszz commented Nov 20, 2017

iptables -F 清楚规则可用

@luoyanghero

This comment has been minimized.

Copy link

luoyanghero commented Jan 19, 2018

I have a similar question, I try to chang a port and restart ss. Is OK.

@allen1027

This comment has been minimized.

Copy link

allen1027 commented Jan 24, 2019

iptables -F刚开始可用,但是一段时间后莫名其妙就不行了。重新配置iptables也不行,依然是连接超时。求解!

@guosq

This comment has been minimized.

Copy link

guosq commented Feb 11, 2019

换了个ip可以了

@stefanieren

This comment has been minimized.

Copy link

stefanieren commented Feb 17, 2019

vultr 上的通过iptables -F解决了 但是搬瓦工的洛杉矶机房的还是不行

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment