apache is not responding from the outside (firewall/iptables problem)

apache-2.2 centos httpd

12,621

Solution 1

Try this to see if it helps:

sudo /sbin/iptables -A INPUT -p tcp --dport http -j ACCEPT

If you use the following beforehand then you can easily revert back:

/sbin/iptables-save > /tmp/fw

If you want to completely turn off iptables (although better to configure it appropriately) then use:

sudo /sbin/chkconfig iptables off

Otherwise, make the rule persist save it to /etc/sysconfig/iptables:

/sbin/iptables-save > /etc/sysconfig/iptables

On CentOS 7 or above

On CentOS 7 and RHEL 7 you would probably use the firewall-cmd to allow HTTP traffic.

firewall-cmd --permanent --add-service=http
firewall-cmd --reload

Solution 2

This is often indicative of a firewall problem, either on your local system or on your network. What does your local iptables firewall look like?

# iptables -vnL

You can temporarily disable the local firewall by running:

# /sbin/service iptables stop

If things work after this, it was definitely a firewall problem and you'll need to sort that out.

If you don't have a local firewall, is there one elsewhere on your network?

12,621

BreakPhreak

Updated on September 18, 2022

Comments

BreakPhreak over 1 year

Have CentOS installed with httpd. Can connect with lynx both to http://localhost and to http://10.20.30.40 (the real IP) from inside the machine. Can't connect from outside. Here is an excerpt from the /etc/httpd/conf/httpd.conf:

Listen 0.0.0.0:80

<VirtualHost 10.20.30.40:80>
    DocumentRoot /var/www/vhost1
    ErrorLog logs/vhost1-error_log
    CustomLog logs/vhost1-access_log common
</VirtualHost>

I am trying to connect from the machine that resides on the same subnet (as far as I know about it).

Nothing suspicious in the log files. Any advises please?

Update: while running iptables -L I've got the following line (maybe it's related): REJECT all -- anywhere anywhere reject-with icmp-host-prohibited.

Update N2: iptables -vnL output:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:67
1576K 1643M RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24    state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 354K packets, 58M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
  922  823K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
   19  1412 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0
 159K   28M ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353
 2869  640K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631
1239K 1589M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    8  1064 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
 175K   25M REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Philip Reynolds almost 13 years

You need to give WAY more information.
BreakPhreak almost 13 years

@Phil: kindly advise which information would you like to get and I'll happily provide it.
user3518202 almost 13 years

@BreakFreak: "REJECT all" is probably the cause!
BreakPhreak almost 13 years

@Cez: can you please tell which is the best way to remove the line (this is not a production machine)? Also, can you please post it as an answer, so I'll "accept" it if it helps?
user3518202 almost 13 years

@BreakFreak: have added an answer
user3518202 almost 13 years

@BreakFreak: port 80 isn't open in your config
symcbean almost 13 years

@BreakFreak, Cez: even on a test system a default policy of REJECT or DROP should be the default - you need to add an entry to allow port 80 as per Cez's answer - NOT the comment above.

BreakPhreak almost 13 years

Yep, stopping the iptables makes the job! Now the question is how to remove the firewall. No need in it - this is a pure dev machine.
BreakPhreak almost 13 years

Just switched off the firewall as advised above and it worked. Now the point is how to switch it forever.
user2751502 almost 13 years

rm /etc/sysconfig/iptables
Johan Lundberg about 10 years

Note: with -A INPUT the new rule comes after all other rules in the input chain. That means that the new rule may come after a general REJECT rule, making it useless. To add the new rule at the top, use -I INPUT instead