Port 80 filtered nmap

Question

Suddenly my server's port 80 is shown as filtered (no server changes are made). My sites are sometimes timing out or stays in waiting for a very long time (in browser).

Nmap localhost output is below,

Starting Nmap 5.51 ( http://nmap.org ) at 2015-08-05 13:12 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000025s latency).
Other addresses for localhost (not scanned): 127.0.0.1
Not shown: 984 closed ports
PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
25/tcp   open     smtp
53/tcp   open     domain
80/tcp   filtered http
106/tcp  open     pop3pw
110/tcp  open     pop3
143/tcp  open     imap
443/tcp  open     https
465/tcp  open     smtps
587/tcp  open     submission
783/tcp  open     spamassassin
993/tcp  open     imaps
995/tcp  open     pop3s
3306/tcp open     mysql
8443/tcp open     https-alt

Here is my iptables,

# Generated by iptables-save v1.4.7 on Wed Aug  5 13:13:10 2015
*raw
:PREROUTING ACCEPT [766174:119529463]
:OUTPUT ACCEPT [425616:321228136]
COMMIT
# Completed on Wed Aug  5 13:13:10 2015
# Generated by iptables-save v1.4.7 on Wed Aug  5 13:13:10 2015
*nat
:PREROUTING ACCEPT [64110:3791395]
:POSTROUTING ACCEPT [2368:111132]
:OUTPUT ACCEPT [2324:120618]
COMMIT
# Completed on Wed Aug  5 13:13:10 2015
# Generated by iptables-save v1.4.7 on Wed Aug  5 13:13:10 2015
*mangle
:PREROUTING ACCEPT [423439:69482399]
:INPUT ACCEPT [423439:69482399]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [225758:163995526]
:POSTROUTING ACCEPT [225720:163982022]
COMMIT
# Completed on Wed Aug  5 13:13:10 2015
# Generated by iptables-save v1.4.7 on Wed Aug  5 13:13:10 2015
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:VZ_FORWARD - [0:0]
:VZ_INPUT - [0:0]
:VZ_OUTPUT - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset 
-A INPUT -m state --state INVALID -j DROP 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 12443 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 11443 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 11444 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8447 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8880 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 106 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 9008 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 9080 -j ACCEPT 
-A INPUT -p udp -m udp --dport 137 -j ACCEPT 
-A INPUT -p udp -m udp --dport 138 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 139 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 445 -j ACCEPT 
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT 
-A INPUT -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT 
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j ACCEPT 
-A INPUT -j DROP 
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset 
-A FORWARD -m state --state INVALID -j DROP 
-A FORWARD -i lo -o lo -j ACCEPT 
-A FORWARD -j DROP 
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with tcp-reset 
-A OUTPUT -m state --state INVALID -j DROP 
-A OUTPUT -o lo -j ACCEPT 
-A OUTPUT -j ACCEPT 
-A VZ_INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A VZ_INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A VZ_INPUT -p tcp -m tcp --dport 25 -j ACCEPT 
-A VZ_INPUT -p tcp -m tcp --dport 110 -j ACCEPT 
-A VZ_INPUT -p tcp -m tcp --dport 53 -j ACCEPT 
-A VZ_INPUT -p udp -m udp --dport 53 -j ACCEPT 
-A VZ_INPUT -p tcp -m tcp --dport 32768:65535 -j ACCEPT 
-A VZ_INPUT -p udp -m udp --dport 32768:65535 -j ACCEPT 
-A VZ_INPUT -p tcp -m tcp --dport 8880 -j ACCEPT 
-A VZ_INPUT -p tcp -m tcp --dport 8443 -j ACCEPT 
-A VZ_INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -j ACCEPT 
-A VZ_INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p udp -j ACCEPT 
-A VZ_OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT 
-A VZ_OUTPUT -p tcp -m tcp --sport 22 -j ACCEPT 
-A VZ_OUTPUT -p tcp -m tcp --sport 25 -j ACCEPT 
-A VZ_OUTPUT -p tcp -m tcp --sport 110 -j ACCEPT 
-A VZ_OUTPUT -p tcp -m tcp --sport 53 -j ACCEPT 
-A VZ_OUTPUT -p udp -m udp --sport 53 -j ACCEPT 
-A VZ_OUTPUT -p tcp -j ACCEPT 
-A VZ_OUTPUT -p udp -j ACCEPT 
-A VZ_OUTPUT -p tcp -m tcp --sport 8880 -j ACCEPT 
-A VZ_OUTPUT -p tcp -m tcp --sport 8443 -j ACCEPT 
-A VZ_OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p tcp -j ACCEPT 
-A VZ_OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -p udp -j ACCEPT 
COMMIT
# Completed on Wed Aug  5 13:13:10 2015

Tried Server restart and apache restart, no change. Any solutions?

Have you tried temporarily disabling the firewall to see if this has any effect? If it does not then the issue may be at ISP Level (There firewall) — Ashley Primo, Aug 05 '15 at 11:12
See this to learn what filtered is: http://nmap.org/book/man-port-scanning-basics.html — Konrad Gajewski, Aug 05 '15 at 11:33
What is the status of the apache service? `service apache status` or `service httpd status` _should_ provide some output. Also, what happens if you run `curl -v localhost` on the machine? — Andrew, Mar 02 '18 at 15:30

score 0 · Answer 1 · answered Sep 07 '22 at 19:23

So in your case, the filtered state might be because some packet filtering software might be blocking/preventing the detection. This could be a firewall, router, ip rules, etc.. You could start disabling each one, one at a time to quickly see which one is the one causing the problem

try also :

nmap -sS -p 80 [VMIP]

-sS : Syn scan

-p 80 : port 80

score 0 · Answer 2 · answered Apr 17 '16 at 15:09

When you do nmap on localhost, your firewall behaves differently than when you nmap from an external machine. When you do nmap on localhost, your packets and replies basically make it through your INPUT, OUTPUT chain twice and the exceptions for -i lo apply. Can you try to nmap from an external machine?

I cannot see that the firewall behaves differently for, say, port 22 and port 80. You could try to group all your accept rules into one large multiport match statement to be sure that the error is not your firewall config.

By the way: your VZ_INPUT, VZ_OUTPUT chains are never used; I suggest to delete them to clean up your ruleset.

Port 80 filtered nmap

2 Answers2

Linked