Linux – CentOS 6 – iptables preventing web access via port 80

apache-http-servercentosiptableslinux

I'm setting up a new web server with CentOS 6.2 and am not able to connect via the web. Everything looks set up correctly in httpd.conf and Apache is running, so I'm assuming it's an iptables issue.

Is there anything in the following which could be causing the issue?

EDIT: If i stop iptables, I can connect fine, so must be something needing tweaked in the below. I've already run iptables -A INPUT -p tcp --dport 80 -j ACCEPT and saved and restarted iptables but made no difference

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Following advice in answer below:

[root@staging ~]# iptables -N TCP
[root@staging ~]# iptables -A TCP -p tcp --dport 80 -j ACCEPT
[root@staging ~]# iptables-save > /etc/iptables/iptables.rules
-bash: /etc/iptables/iptables.rules: No such file or directory
[root@staging ~]# iptables-save
# Generated by iptables-save v1.4.7 on Thu Nov  8 14:09:09 2012
*filter
:INPUT ACCEPT [91:7480]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [70:6556]
:TCP - [0:0]
-A TCP -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Thu Nov  8 14:09:09 2012
[root@staging ~]# iptables-restore
^C
[root@staging ~]# service iptables start
iptables: Applying firewall rules:                         [  OK  ]

Further edit: iptables-save showed nothing as I ran it after I'd stopped iptables! So here's the output:

# iptables-save
# Generated by iptables-save v1.4.7 on Thu Nov  8 14:39:10 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [28:3344]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Nov  8 14:39:10 2012

Best Answer

The iptables-save output shows this bit of additional information for rule 3 not shown with iptables -L:

From iptables -L output one would think that all traffic is accepted:

ACCEPT     all  --  anywhere             anywhere

but iptables-save shows:

-A INPUT -i lo -j ACCEPT

which means that iptables indeed accepts all traffic... but only from the loopback interface (lo).

And that's the reason HTTP traffic never reaches your web server: The only traffic permitted is established connections in rule 1, ICMP (for example ping) in rule 2: -A INPUT -p icmp -j ACCEPT and SSH in rule 4: -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT.

Then everything is rejected in rule 5: -A INPUT -j REJECT --reject-with icmp-host-prohibited.

That is, all HTTP traffic is rejected before even reaching rule 6: -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

To correct it delete rule 6 (-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT):

iptables -D INPUT 6

and insert it (option -I) as rule 5:

iptables -I INPUT 5 -p tcp -m tcp --dport 80 -j ACCEPT

or import this:

# Generated by iptables-save v1.4.6 on Thu Nov  8 16:46:28 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [40:5423]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Nov  8 16:46:28 2012

by saving it into a file and executing iptables-restore < file.

EDIT: The OP noticed that the new rules are lost after restarting iptables.

As explained here: http://wiki.centos.org/HowTos/Network/IPTables, any time we update the rules we need to save them, so run this:

# /sbin/service iptables save

to make changes permanent. Now the modified rules will be loaded by iptables.

Related Solutions

Linux – iptables: Allow only HTTP access for web browsing

Because the rule

iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

with a DROP policy on the OUTPUT chain requires two things which are highly relevant here:

The connection must already have been established
The source port must be 80/tcp

Source ports below 1024 are privileged, and generally aren't used for outgoing connections even when the socket owning process is running as root. You are more likely to see a high source port number going out, well above 30000 seems to be common.

There is also no way to establish a connection, since the only outgoing traffic that is allowed must be related to an already established connection.

Hence, in practice, nothing can match this rule.

Try instead:

iptables -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT

which should allow any outbound connections to destination TCP port 80 where the traffic is routed through eth0, which is much more in line with what you want.

And then as has been pointed out, don't forget about HTTPS, DNS, ...

Linux – need iptables rule to accept all incoming traffic

Run the following. It'll insert the rule at the top of your iptables and will allow all traffic unless subsequently handled by another rule.

iptables -I INPUT -j ACCEPT

You can also flush your entire iptables setup with the following:

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

If you flush it, you might want to run something like:

iptables -A INPUT -i lo -j ACCEPT -m comment --comment "Allow all loopback traffic"
iptables -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT -m comment --comment "Drop all traffic to 127 that doesn't use lo"
iptables -A OUTPUT -j ACCEPT -m comment --comment "Accept all outgoing"
iptables -A INPUT -j ACCEPT -m comment --comment "Accept all incoming"
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -m comment --comment "Allow all incoming on established connections"
iptables -A INPUT -j REJECT -m comment --comment "Reject all incoming"
iptables -A FORWARD -j REJECT -m comment --comment "Reject all forwarded"

If you want to be a bit safer with your traffic, don't use the accept all incoming rule, or remove it with "iptables -D INPUT -j ACCEPT -m comment --comment "Accept all incoming"", and add more specific rules like:

iptables -I INPUT -p tcp --dport 80 -j ACCEPT -m comment --comment "Allow HTTP"
iptables -I INPUT -p tcp --dport 443 -j ACCEPT -m comment --comment "Allow HTTPS"
iptables -I INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT -m comment --comment "Allow SSH"
iptables -I INPUT -p tcp --dport 8071:8079 -j ACCEPT -m comment --comment "Allow torrents"

NOTE: They need to be above the 2 reject rules at the bottom, so use I to insert them at the top. Or if you're anal like me, use "iptables -nL --line-numbers" to get the line numbers, then use "iptables -I INPUT ..." to insert a rule at a specific line number.

Finally, save your work with:

iptables-save > /etc/network/iptables.rules #Or wherever your iptables.rules file is

Best Answer

Related Solutions

Linux – iptables: Allow only HTTP access for web browsing

Linux – need iptables rule to accept all incoming traffic

Related Question