Open port 80 in CentOS 6.5

  • I'm trying to open the Port 80 in my CentOS 6.5, on my virtual machine, so I can access the apache from my desktop's browser.

    enter image description here

    If you take a look at the screenshot above.... I've added the line before the blue arrow, as is written on http://www.cyberciti.biz/faq/linux-iptables-firewall-open-port-80/ Now I do get the apache test page when entering the IP-address in my browser, but still when restarting the iptables, I get a "FAILED" when CentOS tries to apply the new rule.

    Does anyone know a solution for this? Or do I need to ignore the failure?

  • slm

    slm Correct answer

    7 years ago

    Rather than key the rules in manually you can use iptables to add the rules to the appropriate chains and then save them. This will allow you to debug the rules live, confirming they're correct, rather than having to add them to the file like you appear to be doing.

    To open port 80 I do this:

    $ sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    $ sudo /etc/init.d/iptables save
    

    The last command will save the added rules. This is the rule I would use to open up the port for web traffic.

    Why your rule is causing issues

    If you notice the rule you're attempting to use:

    -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
    

    Has a chain called "RH-Firewall-1-INPUT". If you do not have this chain, or a link from the INPUT chain to this chain, then this rule will never be reachable. This rule could likely be like this:

    -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
    

    Or your INPUT chain should link to this chain RH-Firewall-1-INPUT with a rule like this:

    $ sudo iptables --list
    Chain INPUT (policy ACCEPT)
    num  target     prot opt source               destination
    1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
    ....
    

    NOTE: You can see what chains you have with this command:

    $ sudo iptables -L| grep Chain
    Chain INPUT (policy ACCEPT)
    Chain FORWARD (policy ACCEPT)
    Chain OUTPUT (policy ACCEPT)
    ...
    

    Also the states might need to be modified so that existing connections are allowed as well.

    -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 80 -j ACCEPT
    

    Also when you use the -A switch you're appending the rule to chain INPUT. If there are other rules before it that are blocking and/or interfering with the reaching of this rule, it will never get executed. So you might want to move it to the top by inserting rather than appending, like this:

    -I INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 80 -j ACCEPT
    

    Using the GUI

    Firewalls can be complicated beasts. So you might want to try the TUI instead (TUI's are GUI's for the terminal).

    $ sudo system-config-firewall-tui
    

    You can then go through the various screens setting up iptables rules.

                ss #1

                ss #2

    References

    The last rule deleted all previous rules in my iptables file and added just the one above (sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT). Now I cannot access the apache page from my browser anymore, either.

    @ErikVandeVen - sorry I didn't make that clearer. The other rules that you had would either need to be added in this same manner and saved (at the sam time), or you can go to the file `/etc/sysconfig/iptables` and add them. Your original entries should be in this file, `/etc/sysconfig/iptables.save`.

    Thanks, I was able to restore iptables by copying the iptables.save. But I still wasn't able to add the rule without getting a failure and being able to open the apache test page within my browser, at the same time. I'll take a look at the tutorial whcih riclags has posted, first :)

    Man, i totally didnt get why this answer received any single like yet. Excellent detailed reply. Consider my one like as thousand thanks.

    That firewall GUI is a god-send, never seen that before!

    +1ed. thanks for `system-config-firewall-tui`, @slm

    @slm `-m tcp` is redundant since we alredy have `-p tcp`, isn't it? It seems like it is because when I add the rule using `iptables -A INPUT -p tcp --dport 80 -j ACCEPT` and then list the rules using `iptables -S`, iptables is giving `-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT`.

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM