How to configure iptables to allow incoming web traffic

One day you need to enable a web server on your Linux box. The steps look simple: turn on httpd, set some content under web root directory – and you are done. Quick test via “telnet localhost 80” assures you that the server is up, and you are going to test it in a browser from other machine… Nothing! In the best case (of Google Chrome) you will get “Error 109 (net::ERR_ADDRESS_UNREACHABLE)”… Actually, this is a good hint for you that the HTTP port on your fresh web server is blocked by internal firewall (in case of Linux it is typically “iptables”). BTW, another test that can give you additional indication is to try to connect to external IP address using telnet from inside the server.

The solution is very simple – add HTTP port to the list of allowed port in iptables configuration. There are many tutorials that explain how to do it via the command line:

iptables -p tcp --dport 80 -j ACCEPT

…but those changes will not survive the VM reboot. The right way is to edit iptables configuration file “/etc/sysconfig/iptables” directly (see example for RedHat-based systems below).

The line in red is the line that you are going to add. This line instructs iptables to accept TCP connections to port 80 (that is, allow incoming HTTP traffic).

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Now you have to restart iptables service and enjoy your fresh web server from outside!

P.S. As a more convenient alternative, you can use “iptables-save” command. However, this way you can accidentally save other non-permanent changes…

2 thoughts on “How to configure iptables to allow incoming web traffic

  1. We have IP Range1 192.168.0.0/24 & IP Range2 192.168.58.0/24
    I can have access & can ping 192.168.58.0 IP’s from 192.168.0.0 .

    192.168.58.1 is the linux gateway (Also having 192.168.0.2 for both the range connectivity)

    I want to do following :-

    1: Blcok all traffic from Any IP Range except 192.168.58.0/24
    2: Allow only ssh telnet rdp & some other ports from Specific IP only.

    I want toconfigure IPtables for this. I am using RH-Firewall Chain.

Leave a Reply