2

Have CentOS installed with httpd. Can connect with lynx both to http://localhost and to http://10.20.30.40 (the real IP) from inside the machine. Can't connect from outside. Here is an excerpt from the /etc/httpd/conf/httpd.conf:

Listen 0.0.0.0:80

<VirtualHost 10.20.30.40:80>
    DocumentRoot /var/www/vhost1
    ErrorLog logs/vhost1-error_log
    CustomLog logs/vhost1-access_log common
</VirtualHost>

I am trying to connect from the machine that resides on the same subnet (as far as I know about it).

Nothing suspicious in the log files. Any advises please?

Update: while running iptables -L I've got the following line (maybe it's related): REJECT all -- anywhere anywhere reject-with icmp-host-prohibited.

Update N2: iptables -vnL output:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
    0     0 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           udp dpt:67
    0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:67
1576K 1643M RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      virbr0  0.0.0.0/0            192.168.122.0/24    state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  virbr0 *       192.168.122.0/24     0.0.0.0/0
    0     0 ACCEPT     all  --  virbr0 virbr0  0.0.0.0/0            0.0.0.0/0
    0     0 REJECT     all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 354K packets, 58M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
  922  823K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
   19  1412 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 255
    0     0 ACCEPT     esp  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     ah   --  *      *       0.0.0.0/0            0.0.0.0/0
 159K   28M ACCEPT     udp  --  *      *       0.0.0.0/0            224.0.0.251         udp dpt:5353
 2869  640K ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:631
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:631
1239K 1589M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    8  1064 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
 175K   25M REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
BreakPhreak
  • 149
  • 1
  • 1
  • 7

3 Answers3

6

Try this to see if it helps:

sudo /sbin/iptables -A INPUT -p tcp --dport http -j ACCEPT

If you use the following beforehand then you can easily revert back:

/sbin/iptables-save > /tmp/fw

If you want to completely turn off iptables (although better to configure it appropriately) then use: 

sudo /sbin/chkconfig iptables off

Otherwise, make the rule persist save it to /etc/sysconfig/iptables:

/sbin/iptables-save > /etc/sysconfig/iptables

On CentOS 7 or above

On CentOS 7 and RHEL 7 you would probably use the firewall-cmd to allow HTTP traffic.

firewall-cmd --permanent --add-service=http
firewall-cmd --reload
kubanczyk
  • 13,502
  • 5
  • 40
  • 55
cEz
  • 313
  • 1
  • 6
  • Just switched off the firewall as advised above and it worked. Now the point is how to switch it forever. – BreakPhreak Jul 11 '11 at 13:43
  • 1
    Note: with `-A INPUT` the new rule comes after all other rules in the input chain. That means that the new rule may come after a general REJECT rule, making it useless. To add the new rule at the top, use `-I INPUT` instead – Johan Lundberg Apr 03 '14 at 07:26
1

This is often indicative of a firewall problem, either on your local system or on your network. What does your local iptables firewall look like?

# iptables -vnL

You can temporarily disable the local firewall by running:

# /sbin/service iptables stop

If things work after this, it was definitely a firewall problem and you'll need to sort that out.

If you don't have a local firewall, is there one elsewhere on your network?

larsks
  • 41,276
  • 13
  • 117
  • 170
0

Yeah, I'd say that firewall rule probably isn't helping things (although it depends what else is in the firewall ruleset). It could also (in theory) be a problem with the outgoing firewall on the machine you're connecting from, or a proxy config problem, or the phase of the moon.

A complete firewall ruleset and some detailed network troubleshooting results would go a long way to narrowing down the problem.

womble
  • 95,029
  • 29
  • 173
  • 228