apache is not responding from the outside (firewall/iptables problem)
Solution 1
Try this to see if it helps:
sudo /sbin/iptables -A INPUT -p tcp --dport http -j ACCEPT
If you use the following beforehand then you can easily revert back:
/sbin/iptables-save > /tmp/fw
If you want to completely turn off iptables (although better to configure it appropriately) then use:
sudo /sbin/chkconfig iptables off
Otherwise, make the rule persist save it to /etc/sysconfig/iptables:
/sbin/iptables-save > /etc/sysconfig/iptables
On CentOS 7 or above
On CentOS 7 and RHEL 7 you would probably use the firewall-cmd
to allow HTTP traffic.
firewall-cmd --permanent --add-service=http
firewall-cmd --reload
Solution 2
This is often indicative of a firewall problem, either on your local system or on your network. What does your local iptables
firewall look like?
# iptables -vnL
You can temporarily disable the local firewall by running:
# /sbin/service iptables stop
If things work after this, it was definitely a firewall problem and you'll need to sort that out.
If you don't have a local firewall, is there one elsewhere on your network?
Related videos on Youtube
BreakPhreak
Updated on September 18, 2022Comments
-
BreakPhreak over 1 year
Have
CentOS
installed withhttpd
. Can connect withlynx
both tohttp://localhost
and tohttp://10.20.30.40
(the real IP) from inside the machine. Can't connect from outside. Here is an excerpt from the/etc/httpd/conf/httpd.conf
:Listen 0.0.0.0:80 <VirtualHost 10.20.30.40:80> DocumentRoot /var/www/vhost1 ErrorLog logs/vhost1-error_log CustomLog logs/vhost1-access_log common </VirtualHost>
I am trying to connect from the machine that resides on the same subnet (as far as I know about it).
Nothing suspicious in the log files. Any advises please?
Update: while running
iptables -L
I've got the following line (maybe it's related):REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
.Update N2:
iptables -vnL
output:Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 1576K 1643M RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED 0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0 0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0 0 0 REJECT all -- * virbr0 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- virbr0 * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 RH-Firewall-1-INPUT all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 354K packets, 58M bytes) pkts bytes target prot opt in out source destination Chain RH-Firewall-1-INPUT (2 references) pkts bytes target prot opt in out source destination 922 823K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 19 1412 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 255 0 0 ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT ah -- * * 0.0.0.0/0 0.0.0.0/0 159K 28M ACCEPT udp -- * * 0.0.0.0/0 224.0.0.251 udp dpt:5353 2869 640K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:631 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 1239K 1589M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 8 1064 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 175K 25M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
-
Philip Reynolds almost 13 yearsYou need to give WAY more information.
-
BreakPhreak almost 13 years@Phil: kindly advise which information would you like to get and I'll happily provide it.
-
user3518202 almost 13 years@BreakFreak: "REJECT all" is probably the cause!
-
BreakPhreak almost 13 years@Cez: can you please tell which is the best way to remove the line (this is not a production machine)? Also, can you please post it as an answer, so I'll "accept" it if it helps?
-
user3518202 almost 13 years@BreakFreak: have added an answer
-
user3518202 almost 13 years@BreakFreak: port 80 isn't open in your config
-
symcbean almost 13 years@BreakFreak, Cez: even on a test system a default policy of REJECT or DROP should be the default - you need to add an entry to allow port 80 as per Cez's answer - NOT the comment above.
-
-
BreakPhreak almost 13 yearsYep, stopping the iptables makes the job! Now the question is how to remove the firewall. No need in it - this is a pure dev machine.
-
BreakPhreak almost 13 yearsJust switched off the firewall as advised above and it worked. Now the point is how to switch it forever.
-
user2751502 almost 13 years
rm /etc/sysconfig/iptables
-
Johan Lundberg about 10 yearsNote: with
-A INPUT
the new rule comes after all other rules in the input chain. That means that the new rule may come after a general REJECT rule, making it useless. To add the new rule at the top, use-I INPUT
instead