CentOS 6 - iptables preventing web access via port 80

linux apache-http-server centos iptables
26,285

The iptables-save output shows this bit of additional information for rule 3 not shown with iptables -L:

From iptables -L output one would think that all traffic is accepted:

ACCEPT     all  --  anywhere             anywhere

but iptables-save shows:

-A INPUT -i lo -j ACCEPT

which means that iptables indeed accepts all traffic... but only from the loopback interface (lo).

And that's the reason HTTP traffic never reaches your web server: The only traffic permitted is established connections in rule 1, ICMP (for example ping) in rule 2: -A INPUT -p icmp -j ACCEPT and SSH in rule 4: -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT.

Then everything is rejected in rule 5: -A INPUT -j REJECT --reject-with icmp-host-prohibited.

That is, all HTTP traffic is rejected before even reaching rule 6: -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

To correct it delete rule 6 (-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT):

iptables -D INPUT 6

and insert it (option -I) as rule 5:

iptables -I INPUT 5 -p tcp -m tcp --dport 80 -j ACCEPT

or import this:

# Generated by iptables-save v1.4.6 on Thu Nov  8 16:46:28 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [40:5423]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Nov  8 16:46:28 2012

by saving it into a file and executing iptables-restore < file.

EDIT: The OP noticed that the new rules are lost after restarting iptables.

As explained here: http://wiki.centos.org/HowTos/Network/IPTables, any time we update the rules we need to save them, so run this:

# /sbin/service iptables save

to make changes permanent. Now the modified rules will be loaded by iptables.

Share:
26,285

Related videos on Youtube

bsod99
Author by

bsod99

Updated on September 18, 2022

Comments

  • bsod99
    bsod99 over 1 year

    I'm setting up a new web server with CentOS 6.2 and am not able to connect via the web. Everything looks set up correctly in httpd.conf and Apache is running, so I'm assuming it's an iptables issue.

    Is there anything in the following which could be causing the issue?

    EDIT: If i stop iptables, I can connect fine, so must be something needing tweaked in the below. I've already run iptables -A INPUT -p tcp --dport 80 -j ACCEPT and saved and restarted iptables but made no difference

    # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

    Following advice in answer below:

    [root@staging ~]# iptables -N TCP
[root@staging ~]# iptables -A TCP -p tcp --dport 80 -j ACCEPT
[root@staging ~]# iptables-save > /etc/iptables/iptables.rules
-bash: /etc/iptables/iptables.rules: No such file or directory
[root@staging ~]# iptables-save
# Generated by iptables-save v1.4.7 on Thu Nov  8 14:09:09 2012
*filter
:INPUT ACCEPT [91:7480]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [70:6556]
:TCP - [0:0]
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Thu Nov  8 14:09:09 2012
[root@staging ~]# iptables-restore
^C
[root@staging ~]# service iptables start
iptables: Applying firewall rules:                         [  OK  ]

    Further edit: iptables-save showed nothing as I ran it after I'd stopped iptables! So here's the output:

    # iptables-save
# Generated by iptables-save v1.4.7 on Thu Nov  8 14:39:10 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [28:3344]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Nov  8 14:39:10 2012
    • jaume
      jaume over 11 years
      Aren't there any rules in the OUTPUT chain? Can you post the output of iptables-save?
    • jaume
      jaume over 11 years
      And now, after following the advice in the answer below, does it work? And if it doesn't, if you stop iptables altogether, does it work again? And again a bit I'm missing, does the web server have more than one IP address (check it with ip address or ifconfig? The output of commands iptables --version, iptables -S, lsof -i | grep http and uname -a could also be helpful.
    • bsod99
      bsod99 over 11 years
      iptables-save does have output (posted above), i ran it after i'd stopped iptables which is why I got nothing, unsurprisingly. The web server has one IP, I can access it fine when iptables are stopped
  • bsod99
    bsod99 over 11 years
    Followed your suggestions - although didn't specify iptables.rules file as doesn't exist in that location for me. Added the output to OP above.
  • u8sand
    u8sand over 11 years
    but iptables -L still remains the same and your port remains closed? have you tried "nmap" or a similar to to make sure the port is indeed closed. Other inaccessibility problems include routers which requires port forwarding.
  • bsod99
    bsod99 over 11 years
    Many thanks for the detailed post and explanation. So this works (your example file had the lo line still above) - strangely though, if i stop iptables and restart, then the order reverts to the original setup.
  • jaume
    jaume over 11 years
    The lo in the third rule is correct, otherwise all incoming ports are open, which largely defeats the purpose of using a firewall in the first place. As for iptables stubbornly reordering the rules: after modifying the rules run /etc/init.d/iptables save (I haven't used CentOS for ages but that's what I remember off the top of my head...)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What prevents a machine from responding to pings?
CentOS phpmyadmin folder forbidden
iptables not starting on CentOS 6
How to get ASP.NET running on Apache on CentOS 7?
blocking port 80 via iptables
iptables blocking from internet side on eth1?
IPtables string match for some URLs
Check for Apache state in Linux
httpd: bad user name apache
Apache not executing PHP on CentOS 7 in browser