Best IT Recipes

Apache does not accept incoming connections from outside the local host

I booted the CentOS server into rackspace and performed yum install httpd 'd. Then services httpd start . So, just barebones.

I can access its IP address remotely via ssh (22) without problems, so there is no problem with DNS or anything (I think ...), but when I try to connect to port 80 (through a browser or something else) I get the connection refused.

However, from localhost I can use telnet (80) or even lynx on myself and maintain it without any problems. Outside (my home, my school, local cafe, etc.), Telnet connects to 22, but not 80.

I use netstat -tulpn (<- I'm not going to lie, I don't understand the -tulpn part, but what the internet told me to do ...) and see

 tcp 0 0 :::80 :::* LISTEN -

it seems to me. httpd.conf says Listen 80 .

I have services httpd restart many times.

Honestly, I have no idea what to do. There is no way for rackspace to have a firewall for incoming 80th port requests. I feel like I’m missing something stupid, but I already loaded the barebones server twice and performed an absolute minimum to get this functioning, thinking that I messed up everything, but it didn’t work.

Any help is much appreciated! (And sorry for the long branch ...)

Edit I was asked to publish the output of iptables -L . So here it is:

 Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
+49
linux apache webserver centos
May 23 '12 at 23:25
source share
11 answers

In case it has not yet been resolved. Your iptables say:

RELATED, ESTABLISHED

This means that it allows you to transfer only already established connections ... created by you, not remote machines. You can then see exceptions to this in the following rules:

 state NEW tcp dpt:ssh

Which is considered only for ssh, so you should add a similar rule / line for http, which you can do as follows:

 state NEW tcp dpt:80

What you can do as follows:

 sudo iptables -I INPUT 4 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

(In this case, I want to add a new rule to the fourth line)

Remember that after editing a file, you must save it as follows:

 sudo /etc/init.d/iptables save
+98
Oct 24 '13 at 14:50
source share

CentOS 7 now uses firewalld by default. But all the answers are focused on iptables. So I wanted to add a response related to firewalld.

Since firewalld is a "wrapper" for iptables, using the antonio-fornie response still works, but I could not "save" this new rule. Thus, I could not connect to my apache server as soon as the firewall restarted. Fortunately, it is actually much easier to make an equivalent change using firewalld commands. First check if firewalld works:

 firewall-cmd --state

If it works, the answer will be just one line that says “running”.

To temporarily allow http connections (port 80) in a public zone:

 sudo firewall-cmd --zone=public --add-service=http

The above will not be “saved”, the next time the firewalld service restarts, it will revert to the default rules. You should use this temporary rule to verify and make sure that it solves the connection problem before moving on.

To permanently allow http connections in a public zone:

 sudo firewall-cmd --zone=public --permanent --add-service=http

If you execute a “permanent” command without executing a “temporary” command, you need to restart firewalld to get new default rules (this may differ for systems other than CentOS):

  sudo systemctl restart firewalld.service

If this does not solve the connection problem, it may be because your interface is not in the “public zone”. The following link is a great resource for exploring firewalld. It details the methods for checking, assigning and configuring zones: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7

+5
Dec 13 '16 at 2:34
source share

SELinux does not allow Apache (and therefore all Apache modules) to make remote connections by default.

 # setsebool -P httpd_can_network_connect=1
+4
Nov 26 '12 at 5:26
source share

Try installing below in iptables.config table

 iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Run the command below to restart the iptable service

 service iptables restart

change the httpd.config file to

 Listen 192.170.2.1:80

restart apache.

Try now.

+3
Aug 15 '12 at 21:33
source share

Find the LISTEN directive in the apache configuration files (httpd.conf, apache2.conf, listen.conf, ...), and if you see localhost or 127.0.0.1, you need to overwrite your public ip.

+1
May 23 '12 at 23:31
source share

Try disabling iptables: service iptables stop

If this works, include TCP port 80 in your firewall rules: run system-config-selinux as root and enable TCP port 80 (HTTP) on your firewall.

+1
May 23 '12 at 23:38
source share

this will work: - for REDHAT use: cat "/ etc / sysconfig / iptables"

 iptables -I RH-Firewall-1-INPUT -s 192.168.1.3 -p tcp -m tcp --dport 80 -j ACCEPT

followed by

 sudo /etc/init.d/iptables save
+1
Mar 09 '14 at 20:37
source share

this is what worked for us to access apache from the outside:

 sudo iptables -I INPUT 4 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT sudo service iptables restart
+1
Mar 23 '16 at 1:55
source share

Install apache to map to a specific interface and enter something like below:

 Listen 192.170.2.1:80

Also check the iptables and TCP Wrappers entries that might interfere with the host if external hosts access this port.

Document binding for Apache

0
May 23 '12 at 23:34
source share

If you are using RHEL / CentOS 7 (OP was not, but I thought I would share the solution for my business), then you will need to use firewalld instead of the iptables service mentioned in other answers.

 firewall-cmd --zone=public --add-port=80/tcp --permanent firewall-cmd --reload

And then check that it works with:

 firewall-cmd --permanent --zone=public --list-all

It should list 80/tcp in the ports section

0
Jun 21 '16 at 3:50
source share

Disable SELinux

 $ sudo setenforce 0
-one
Sep 17 '12 at 15:24
source share


More articles:


All Articles