61

I've booted up a CentOS server on rackspace and executed yum install httpd'd. Then services httpd start. So, just the barebones.

I can access its IP address remotely over ssh (22) no problem, so there's no problem with the DNS or anything (I think...), but when I try to connect on port 80 (via a browser or something) I get connection refused.

From localhost, however, I can use telnet (80), or even lynx on itself and get served with no problem. From outside (my house, my school, a local coffee shop, etc...), telnet connects on 22, but not 80.

I use netstat -tulpn (<- I'm not going to lie, I don't understand the -tulpn part, but that's what the internet told me to do...) and see 

tcp    0    0 :::80     :::*    LISTEN    -

as I believe I should. The httpd.conf says Listen 80.

I have services httpd restart'd many a time.

Honestly I have no idea what to do. There is NO way that rackspace has a firewall on incoming port 80 requests. I feel like I'm missing something stupid, but I've booted up a barebones server twice now and have done the absolute minimum to get this functioning thinking I had mucked things up with my tinkering, but neither worked.

Any help is greatly appreciated! (And sorry for the long winded post...)

Edit I was asked to post the output of iptables -L. So here it is:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Alex
  • 8,093
  • 6
  • 49
  • 79
Phildo
  • 986
  • 2
  • 20
  • 36
  • Why are you blaming Apache(Tomcat)? There must be some firewall or iptable setting which is dropping outside packet on port 80. I dont think Apache goes to that level to filter packet, better let this job done by network Utilities, provided by underlying OS. Or does it do so? – mawia May 24 '12 at 01:54
  • oops I see! binding docs, tomcat give these options.Better go through it to find its detail. – mawia May 24 '12 at 02:01
  • 1
    Off-topic for SO; belongs on [sf] – Jim Garrison May 24 '12 at 02:57

11 Answers11

111

In case not solved yet. Your iptables say:

state RELATED,ESTABLISHED

Which means that it lets pass only connections already established... that's established by you, not by remote machines. Then you can see exceptions to this in the next rules:

state NEW tcp dpt:ssh

Which counts only for ssh, so you should add a similar rule/line for http, which you can do like this:

state NEW tcp dpt:80

Which you can do like this:

sudo iptables -I INPUT 4 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

(In this case I am choosing to add the new rule in the fourth line)

Remember that after editing the file you should save it like this:

sudo /etc/init.d/iptables save
Anthony
  • 36,459
  • 25
  • 97
  • 163
antonio.fornie
  • 1,740
  • 2
  • 13
  • 23
  • 4
    in Fedora, use sudo /sbin/iptables-save to save the changes in iptables – KawaiKx Jun 27 '14 at 02:40
  • This worked perfectly, however i don't quite understand. In my case my CentOS firewall's status is not on. How would firewall effect this? This is my firewal status sudo service iptables status Redirecting to /bin/systemctl status iptables.service iptables.service Loaded: not-found (Reason: No such file or directory) Active: inactive (dead) – Shuliyey Feb 16 '15 at 04:31
  • On Oracle Linux 7, the saving command that worked for me was: `sudo service iptables save`. – Laerte Oct 23 '20 at 12:19
29

CentOS 7 uses firewalld by default now. But all the answers focus on iptables. So I wanted to add an answer related to firewalld.

Since firewalld is a "wrapper" for iptables, using antonio-fornie's answer still seems to work but I was unable to "save" that new rule. So I wasn't able to connect to my apache server as soon as a restart of the firewall happened. Luckily it is actually much more straightforward to make an equivalent change with firewalld commands. First check if firewalld is running:

firewall-cmd --state

If it is running the response will simply be one line that says "running".

To allow http (port 80) connections temporarily on the public zone:

sudo firewall-cmd --zone=public --add-service=http

The above will not be "saved", next time the firewalld service is restarted it'll go back to default rules. You should use this temporary rule to test and make sure it solves your connection issue before moving on.

To permanently allow http connections on the public zone:

sudo firewall-cmd --zone=public --permanent --add-service=http

If you do the "permanent" command without doing the "temporary" command as well, you'll need to restart firewalld to get your new default rules (this might be different for non CentOS systems):

 sudo systemctl restart firewalld.service

If this hasn't solved your connection issues it may be because your interface isn't in the "public zone". The following link is a great resource for learning about firewalld. It goes over in detail how to check, assign, and configure zones: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7

Josh
  • 637
  • 5
  • 13
6

SELinux prevents Apache (and therefore all Apache modules) from making remote connections by default.

# setsebool -P httpd_can_network_connect=1
Nadeer Madampat
  • 330
  • 3
  • 9
3

Try with below setting in iptables.config table 

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Run the below command to restart the iptable service

service iptables restart

change the httpd.config file to

Listen 192.170.2.1:80

re-start the apache.

Try now.

Omtara
  • 2,911
  • 2
  • 19
  • 31
Raja
  • 39
  • 3
2

If you are using RHEL/CentOS 7 (the OP was not, but I thought I'd share the solution for my case), then you will need to use firewalld instead of the iptables service mentioned in other answers.

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload

And then check that it is running with:

firewall-cmd --permanent --zone=public --list-all

It should list 80/tcp under ports

Matt Pennington
  • 560
  • 1
  • 8
  • 21
1

Search for LISTEN directive in the apache config files (httpd.conf, apache2.conf, listen.conf,...) and if you see localhost, or 127.0.0.1, then you need to overwrite with your public ip.

Pethical
  • 1,472
  • 11
  • 18
  • I checked httpd.conf, and there's nothin' fishy in there (again, using the default EVERYTHING to try to limit my errors). I can't find the apache2 folder though... weird. I wonder if that's what's going on? Isn't it normally in /etc/? And shouldn't "yum install httpd" have taken care of that? weird... – Phildo May 24 '12 at 01:58
1

Try disabling iptables: service iptables stop

If this works, enable TCP port 80 to your firewall rules: run system-config-selinux from root, and enable TCP port 80 (HTTP) on your firewall.

dAm2K
  • 9,923
  • 5
  • 44
  • 47
  • thank you for the reply! I disabled iptables, and it still doesn't work... :( Any other ideas? – Phildo May 24 '12 at 01:48
  • Already tried disabling selinux? Try: setenforce 0. Did you read /var/log/messages syslog log file or /var/log/httpd/error_log httpd erro logs? – dAm2K May 24 '12 at 12:06
1

this would work: -- for REDHAT use : cat "/etc/sysconfig/iptables" 

iptables -I  RH-Firewall-1-INPUT -s 192.168.1.3  -p tcp -m tcp --dport 80 -j ACCEPT

followed by 

sudo /etc/init.d/iptables save
niksmac
  • 2,667
  • 3
  • 34
  • 50
Mr.T
  • 33
  • 6
1

this is what worked for us to get the apache accessible from outside:

sudo iptables -I INPUT 4 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
sudo service iptables restart
jwvh
  • 50,871
  • 7
  • 38
  • 64
user4806038
  • 11
  • 2
0

Set apache to list to a specific interface and port something like below:

Listen 192.170.2.1:80

Also check for Iptables and TCP Wrappers entries that might be interfering on the host with outside hosts accessing that port

Binding Docs For Apache

nsfyn55
  • 14,875
  • 8
  • 50
  • 77
  • I set it to 'Listen 5.95.203.157' and then ran 'service httpd restart' and 99)Cannot assign requested address: make_sock: could not bind to address 5.95.203.157:80 no listening sockets available, shutting down. Any idea what this might mean? – Phildo May 24 '12 at 01:55
  • is that address assigned to an interface on that host? – nsfyn55 May 24 '12 at 02:02
-1

Disable SELinux 

$ sudo setenforce 0
Satish
  • 16,544
  • 29
  • 93
  • 149