曾经在http://blog.csdn.net/bisal/article/details/42496583这篇博文中提到一个端口连接的验证:
“[email protected]$telnet 172.101.19.57 1521
Trying 172.101.19.57...
telnet: connect to address 172.101.19.57: No route to host
如果端口未开,实际报错:
[email protected]$telnet 172.27.19.56 1521
Trying 172.27.19.56...
telnet: connect to address 172.27.19.56: Connection refused
是不是防火墙的问题???
从数据库服务器关闭防火墙:
[[email protected] ~]# service iptables stop
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: nat mangle filter [ OK ]
iptables: Unloading modules: [ OK ]
再从远程机器执行:
[email protected]$telnet 172.101.19.571521
Trying 172.101.19.57...
Connected to 172.101.19.57.
Escape character is ‘^]‘.
说明端口已开,更重要的是,明确了,就是防火墙问题。”
通过实验再次说明下“Connection refused”和“No route to host”的区别和问题诊断思路。
首先,网上有篇帖子说明“Connection refused” vs “No route to host”(http://superuser.com/questions/720851/connection-refused-vs-no-route-to-host):
"Connection refused" means that the target machine actively rejected the connection. With port 80 as the context, one of the following things is likely the reason:
Nothing is listening on 127.0.0.1:80 and 132.70.6.157:80
Nothing is listening on *:80
The firewall is blocking the connection with REJECT
So check your Apache and iptables config.
"No route to host" refers to a network problem. It is not a reply from the target machine.
说的是“Connection refused”是目标主机明确拒绝了这次连接,有可能是该端口没有启动监听,或者因为防火墙。“No route to host”则可能是一个网络问题,不是目标主机的回复。
一个实验模拟:
客户端机器ip:172.1.1.1
目标机ip:172.1.2.1
1. 从客户端telnet目标机的一个已启动端口1521,但防火墙中未添加例外。
从172.1.1.1 telnet 172.1.2.1 1521,提示no route to host。
Trying 172.1.2.1...
telnet: connect to address 172.1.2.1: No route to host
在防火墙配置中iptables添加1521端口,telnet正常。
2. 从客户端telnet目标机的一个未启动监听的端口
172.1.2.1的10001端口没有启用,netstat -an | grep 10001不存在。
从172.1.1.1 telnet 172.1.2.1 10001,提示connection refused。
Trying 172.1.2.1...
telnet: connect to address 172.1.2.1: Connection refused
结论:说明No route to host是防火墙的返回,先经过防火墙,不管端口有没有。然后如果通过了防火墙,但监听未启动,则提示Connection refused的错误。