2

I've CentOS 7 server without firewalld but with iptables installed.

There's WildFly 10 is running with changed socket binding http port 8080 to 80 in standalone.xml.

I'd open 80 port in iptables with these commands:

# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT

but the server is still unreachable until I stop iptables.

How to fix it?


Update:

#iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 8080 -j ACCEPT


# netstat -nltp | grep :80
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN             10042/java
WildDev
  • 167
  • 8
  • Your rules are wrong. You need `--dport`(destination port) open for INPUT. So that requests from outside are allowed.Try like this: `iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT` – Diamond Jan 09 '16 at 15:41
  • @bangal, still doesn't work:( – WildDev Jan 09 '16 at 15:45
  • post output of `iptables -S` and `netstat -nltp | grep :80` – Diamond Jan 09 '16 at 15:49
  • 1
    look at the list: at 8th line `-A INPUT -j REJECT --reject-with icmp-host-prohibited` where everything is rejected afterwards. So remove it first and add it add the end. The orders of the rules are incorrect. put the reject rules at the end and remove the duplicate rules, flush iptables. – Diamond Jan 09 '16 at 15:58
  • Can you reach this service when iptables is stopped? If not, your binding may not be working properly. You can remove all those sport 80 rules. – Aaron Jan 09 '16 at 16:05
  • 1
    That thing is messy. Save yourself a lot of headache and just use firewalld. – Michael Hampton Jan 09 '16 at 16:18
  • I believe that the old style iptables-save init scripts still work. I would edit those then do a restore. – Zan Lynx Jan 09 '16 at 18:09
  • The old method still works if you install iptables-services package and mask the firewalld service. – Aaron Jan 09 '16 at 23:24

1 Answers1

6

Your rules are wrong for what you want to achieve. The INPUT chain deals with incoming traffic and the OUTPUT chain deals with traffic going out. So for what you want to achieve you need a rule like this (and you don't need a rule for OUTPUT chain and can remove it):

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

Other than that, the order of the rules are important and your rule lists doesn't look ok. For example you have a rule at the 8th line to reject everything, then a following rule to accept something won't work. So, put the all reject rule at the end. You have also many duplicate rules, just remove them and flush iptables.

See these pages to have a better understanding of iptables:

Linux Firewall Tutorial: IPTables Tables, Chains, Rules Fundamentals

How To Set Up a Basic Iptables Firewall on Centos 6

Diamond
  • 8,791
  • 3
  • 22
  • 37