How to Open Http port ( 80 ) in Iptables on CentOS

By | August 7, 2020

Iptables firewall

I was recently setting up a web server on centos with nginx and php. The installation of nginx was fine, but the http port of the system was not accessible from outside.

This is because centOS by default has some iptables firewall rules in effect. Only the ssh port (22) was accessible and remote shell worked. So its necessary to open up port 80 for webserver like nginx to work.

Iptables is the firewall on linux that can be configured to accept or reject network traffic based on various kinds of packet level rulesets. So it is necessary to configure this firewall to enable connections on network ports.

Check Iptables rules

There are 2 ways to configure iptables to open up port 80. First is using the iptables command and second is by creating a configuration file. First check the existing iptables rules in effect. The command is quite simple. Here is a sample output.

[root@dhcppc2 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
[root@dhcppc2 ~]#

As can be seen in the output, there is a REJECT line in the INPUT chain at the end that says, reject all. However the previous line allows to accept ssh connections so ssh is working. A little more verbose and numeric list can be seen using the v and n options along with the L option

[root@dhcppc2 ~]# iptables --line -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      273 22516 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4        1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
5      271 36456 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 172 packets, 24494 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
[root@dhcppc2 ~]#

Open port 80 in Iptables

To accept http connections we need to add a rule at line number 5 and push the REJECT line below. Here is the command to do it.

# iptables -I INPUT 5 -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

The above command will add a rule at line #5 stating that the firewall should accept incoming connections on port 80. Check the iptables rules again.

[root@dhcppc2 ~]# iptables --line -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      291 23868 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
2        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
3        0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
4        1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
5        0     0 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 state NEW,ESTABLISHED 
6      286 38524 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited 

Chain OUTPUT (policy ACCEPT 4 packets, 608 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
[root@dhcppc2 ~]#

Now we have the new tcp port 80 rule at line #5 and so now the http port is accessible from outer network.

Save the iptables rules

With the new rules port 80 is now open, however this change is temporary and iptables would revert to the previous rules if the server is rebooted.

To make it permanent issue the iptables save command.

[root@dhcppc2 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

The new rules are saved to the file /etc/sysconfig/iptables.

Here is how the file looks:

# Generated by iptables-save v1.4.7 on Fri Oct 25 10:33:46 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [39:6956]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Fri Oct 25 10:33:46 2013

Now the change is permanent.

Alternatively you could directly edit the iptables configuration file and restart iptables and the same change would take effect.

[root@dhcppc2 ~]# service iptables restart
iptables: Flushing firewall rules:                         [  OK  ]
iptables: Setting chains to policy ACCEPT: filter          [  OK  ]
iptables: Unloading modules:                               [  OK  ]
iptables: Applying firewall rules:                         [  OK  ]
[root@dhcppc2 ~]#

Conclusion

That was a quick example of how to open a certain port in iptables to make it accessible. To learn more about iptables, check the manual pages by running the "man iptables" command in your terminal, or check it online here:

https://linux.die.net/man/8/iptables
About Silver Moon

A Tech Enthusiast, Blogger, Linux Fan and a Software Developer. Writes about Computer hardware, Linux and Open Source software and coding in Python, Php and Javascript. He can be reached at [email protected].

21 Comments

How to Open Http port ( 80 ) in Iptables on CentOS
  1. ML

    Thanx a ton for this. Exactly what I needed. One of my servers crashed, had to rebuild it, and of course, it remained invisible until I opened the tcp port. I think my first effort had slotted in the ‘open-tcp-port’ syntax *after* the “reject all” in the INPUT chain, and of course the tweak to open the port needs to be *before* that final entry. Your page is well written – you make this point clear, and provide an unobfuscated example. Thx.

  2. Matrix70

    thanks man. that helped a lot. Was getting confused with the iptables. You nailed it. Just put all new rules above the REJECT line

  3. Xa Ya Za Za

    iptables -I INPUT 5 -i eth0 -p tcp –dport 80 -m state –state NEW,ESTABLISHED -j ACCEPT

    was the line that opened up my port to allow opencart 2.0.0.0 to be seen on port 80. All the other tuts I’ve found for it left that part out. I didn’t want to disable iptables totally so I figured I should do it right the first time :)
    (centos 6.6)

    Thanks homie

  4. John Carter

    Clear and concise – couldn’t ask for better explanation. I always struggle with IP-Tables and always afraid I will simply lock myself out…

Leave a Reply

Your email address will not be published. Required fields are marked *