How to configure iptables to allow incoming web traffic

One day you need to enable a web server on your Linux box. The steps look simple: turn on httpd, set some content under web root directory – and you are done. Quick test via “telnet localhost 80” assures you that the server is up, and you are going to test it in a browser from other machine… Nothing! In the best case (of Google Chrome) you will get “Error 109 (net::ERR_ADDRESS_UNREACHABLE)”… Actually, this is a good hint for you that the HTTP port on your fresh web server is blocked by internal firewall (in case of Linux it is typically “iptables”). BTW, another test that can give you additional indication is to try to connect to external IP address using telnet from inside the server.

The solution is very simple – add HTTP port to the list of allowed port in iptables configuration. There are many tutorials that explain how to do it via the command line:

iptables -p tcp --dport 80 -j ACCEPT

…but those changes will not survive the VM reboot. The right way is to edit iptables configuration file “/etc/sysconfig/iptables” directly (see example for RedHat-based systems below).

The line in red is the line that you are going to add. This line instructs iptables to accept TCP connections to port 80 (that is, allow incoming HTTP traffic).

:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Now you have to restart iptables service and enjoy your fresh web server from outside!

P.S. As a more convenient alternative, you can use “iptables-save” command. However, this way you can accidentally save other non-permanent changes…

2 thoughts on “How to configure iptables to allow incoming web traffic

  1. We have IP Range1 & IP Range2
    I can have access & can ping IP’s from . is the linux gateway (Also having for both the range connectivity)

    I want to do following :-

    1: Blcok all traffic from Any IP Range except
    2: Allow only ssh telnet rdp & some other ports from Specific IP only.

    I want toconfigure IPtables for this. I am using RH-Firewall Chain.

Leave a Reply