系统运维 on 嘴强黑客 /pbuff07https://pbuff07.github.io/categories/%E7%B3%BB%E7%BB%9F%E8%BF%90%E7%BB%B4/Recent content in 系统运维 on 嘴强黑客 /pbuff07Hugozh-cnFri, 08 May 2026 10:48:00 +0800VSCode远程:下载服务器失败https://pbuff07.github.io/posts/2026-05-08-vscode%E8%BF%9C%E7%A8%8B-%E4%B8%8B%E8%BD%BD%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%A4%B1%E8%B4%A5/Fri, 08 May 2026 10:48:00 +0800https://pbuff07.github.io/posts/2026-05-08-vscode%E8%BF%9C%E7%A8%8B-%E4%B8%8B%E8%BD%BD%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%A4%B1%E8%B4%A5/<p>最近使用 VSCode Remote SSH 连接远程主机时,卡在 <code>Downloading VS Code Server</code> 阶段,表现为一直下载或反复要求重新连接。</p> <p>参考链接:</p> <ul> <li><a href="https://github.com/microsoft/vscode-remote-release/issues/11040">Remote-SSH stuck on &ldquo;Downloading VS Code Server&rdquo; #11040</a></li> </ul> <p>这类问题可通过调整两处 Remote SSH 设置来修复:</p> <ol> <li><code>Remote.SSH: Use Exec Server</code> <strong>不勾选</strong></li> <li><code>Remote.SSH: Permit Pty Allocation</code> <strong>勾选</strong></li> </ol> <p>设置界面示意图如下:</p> <p><img src="https://pbuff-blogs-1257793641.cos.ap-chengdu.myqcloud.com//blogs20260508104725.png" alt="Remote.SSH Use Exec Server 不勾选"></p> <p><img src="https://pbuff-blogs-1257793641.cos.ap-chengdu.myqcloud.com//blogs20260508104800.png" alt="Remote.SSH Permit Pty Allocation 勾选"></p> <p>修改后重新连接远程主机,通常即可恢复正常。</p>nftableshttps://pbuff07.github.io/posts/2025-07-19-nftables/Sat, 19 Jul 2025 14:00:00 +0800https://pbuff07.github.io/posts/2025-07-19-nftables/<p><strong>nftables</strong> 是 iptables 的继任者,提供了一种更强大、更灵活、更高效的方式来管理 Linux 系统上的数据包过滤和 NAT(抄的,反正就是比iptables更先进)。</p> <p>基本结构图如下:</p> <p>Table - 表:用来组织链和规则的,主要有inet、ip4、ip6、arp、bridge(其实就是表示处理的流量类型)。</p> <p>Chain - 链:表示Table中的具体的规则走什么处理链路?比如是拦截还是放行,主要有input、output、forward、prerouting、postrouting(除了前三个,其他都不太懂)。</p> <p>Rule - 规则:表示具体的策略内容了,要对数据包执行的过滤条件和动作。</p> <p><img src="https://pbuff-blogs-1257793641.cos.ap-chengdu.myqcloud.com//blogsimage-20250724180743972.png" alt="image-20250724180743972"></p> <p>基本用法:</p> <p>1、创建表</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>nft add table inet my_filter_ip </span></span></code></pre></div><p>2、创建一个input(入站)的链</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>nft add chain inet my_filter_ip input {type filter hook input priority 0 \; policy drop \;} </span></span></code></pre></div><blockquote> <p>type filter 指这是一个用于过滤的链,其他类型还有route、nat</p> <p>hook input 指这条链挂到输入阶段,即处理本机的数据包</p> <p>priority 0 指该链的优先级,数值越小优先级越高</p> <p>policy drop 指该链默认的处理策略为丢弃</p> <p>; 指nftables 命令语法中的转义分号,用于表示大括号内的语句结束</p> </blockquote> <p>综上:该命令创建了一个默认丢弃所有入站的数据包的链,效果如下:</p> <p>3、创建规则</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-text" data-lang="text"><span style="display:flex;"><span># 放行22端口 </span></span><span style="display:flex;"><span>nft add rule inet my_filter_ip input tcp dport 22 accept </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span># 放行多个端口 </span></span><span style="display:flex;"><span>nft add rule inet my_filter_table input tcp dport { 22, 80, 443 } accept </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span># 丢弃某个IP的数据包 </span></span><span style="display:flex;"><span>nft add rule inet my_filter_ip input ip saddr 192.168.31.100 drop </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span># 允许某个IP访问 </span></span><span style="display:flex;"><span>nft add rule inet my_filter_ip input ip saddr 192.168.1.1 accept </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span># 放行到特定目标的流量 </span></span><span style="display:flex;"><span>nft add rule inet my_filter_ip input ip daddr 10.9.1.13 accept </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span># 放行特定IP访问特定端口 </span></span><span style="display:flex;"><span>nft add rule inet my_filter_ip input ip saddr 192.168.1.100 tcp dport 22 accept </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span># 日志记录 </span></span><span style="display:flex;"><span>nft add rule inet my_filter_ip input tcp dport 22 log prefix &#34;SSH_ACCESS: &#34; accept </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span># 限制速率 </span></span><span style="display:flex;"><span>nft add rule inet my_filter_ip input tcp dport 22 limit rate 10/minute accept </span></span></code></pre></div><p>除了accept和drop,还有reject操作。</p>