apache not accepting incoming connections from outside of localhost - linux

I've booted up a CentOS server on rackspace and executed yum install httpd'd. Then services httpd start. So, just the barebones.
I can access its IP address remotely over ssh (22) no problem, so there's no problem with the DNS or anything (I think...), but when I try to connect on port 80 (via a browser or something) I get connection refused.
From localhost, however, I can use telnet (80), or even lynx on itself and get served with no problem. From outside (my house, my school, a local coffee shop, etc...), telnet connects on 22, but not 80.
I use netstat -tulpn (<- I'm not going to lie, I don't understand the -tulpn part, but that's what the internet told me to do...) and see
tcp 0 0 :::80 :::* LISTEN -
as I believe I should. The httpd.conf says Listen 80.
I have services httpd restart'd many a time.
Honestly I have no idea what to do. There is NO way that rackspace has a firewall on incoming port 80 requests. I feel like I'm missing something stupid, but I've booted up a barebones server twice now and have done the absolute minimum to get this functioning thinking I had mucked things up with my tinkering, but neither worked.
Any help is greatly appreciated! (And sorry for the long winded post...)
Edit
I was asked to post the output of iptables -L. So here it is:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

In case not solved yet. Your iptables say:
state RELATED,ESTABLISHED
Which means that it lets pass only connections already established... that's established by you, not by remote machines. Then you can see exceptions to this in the next rules:
state NEW tcp dpt:ssh
Which counts only for ssh, so you should add a similar rule/line for http, which you can do like this:
state NEW tcp dpt:80
Which you can do like this:
sudo iptables -I INPUT 4 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
(In this case I am choosing to add the new rule in the fourth line)
Remember that after editing the file you should save it like this:
sudo /etc/init.d/iptables save

CentOS 7 uses firewalld by default now. But all the answers focus on iptables. So I wanted to add an answer related to firewalld.
Since firewalld is a "wrapper" for iptables, using antonio-fornie's answer still seems to work but I was unable to "save" that new rule. So I wasn't able to connect to my apache server as soon as a restart of the firewall happened. Luckily it is actually much more straightforward to make an equivalent change with firewalld commands. First check if firewalld is running:
firewall-cmd --state
If it is running the response will simply be one line that says "running".
To allow http (port 80) connections temporarily on the public zone:
sudo firewall-cmd --zone=public --add-service=http
The above will not be "saved", next time the firewalld service is restarted it'll go back to default rules. You should use this temporary rule to test and make sure it solves your connection issue before moving on.
To permanently allow http connections on the public zone:
sudo firewall-cmd --zone=public --permanent --add-service=http
If you do the "permanent" command without doing the "temporary" command as well, you'll need to restart firewalld to get your new default rules (this might be different for non CentOS systems):
sudo systemctl restart firewalld.service
If this hasn't solved your connection issues it may be because your interface isn't in the "public zone". The following link is a great resource for learning about firewalld. It goes over in detail how to check, assign, and configure zones: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7

SELinux prevents Apache (and therefore all Apache modules) from making remote connections by default.
# setsebool -P httpd_can_network_connect=1

Try with below setting in iptables.config table
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Run the below command to restart the iptable service
service iptables restart
change the httpd.config file to
Listen 192.170.2.1:80
re-start the apache.
Try now.

If you are using RHEL/CentOS 7 (the OP was not, but I thought I'd share the solution for my case), then you will need to use firewalld instead of the iptables service mentioned in other answers.
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --reload
And then check that it is running with:
firewall-cmd --permanent --zone=public --list-all
It should list 80/tcp under ports

Search for LISTEN directive in the apache config files (httpd.conf, apache2.conf, listen.conf,...) and if you see localhost, or 127.0.0.1, then you need to overwrite with your public ip.

Try disabling iptables: service iptables stop
If this works, enable TCP port 80 to your firewall rules:
run system-config-selinux from root, and enable TCP port 80 (HTTP) on your firewall.

this would work:
-- for REDHAT
use : cat "/etc/sysconfig/iptables"
iptables -I RH-Firewall-1-INPUT -s 192.168.1.3 -p tcp -m tcp --dport 80 -j ACCEPT
followed by
sudo /etc/init.d/iptables save

this is what worked for us to get the apache accessible from outside:
sudo iptables -I INPUT 4 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
sudo service iptables restart

Set apache to list to a specific interface and port something like below:
Listen 192.170.2.1:80
Also check for Iptables and TCP Wrappers entries that might be interfering on the host with outside hosts accessing that port
Binding Docs For Apache

Disable SELinux
$ sudo setenforce 0

Related

load static IP without specifying port

I am using AWS lightsail for the first time. I cloned my git repository to my htdocs and opened port 3000 on my networking ipv4 firewall. What im trying to do is load my node site with my aws static IP. It currently works when I specify the specific port like: 98.222.124.4:3000 but I wanted it to load the site without having to specify the port so I followed the steps found here https://docs.bitnami.com/ibm/infrastructure/nodejs/administration/create-custom-application-nodejs/ under "Create A Custom Virtual Host" but the specified method is not working. I still need to specify the port in order for the site to load. What I basically did was edit the documentRoot and directory paths to my repositories location then restarted apache but this didn't let me access the site without the port. Where did I go wrong. How can I load the site without specifying a port in the url?
It took me a minute to land on this solution but the only method that worked was this:
First try this after installing iptables:
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000
What you basically did is forward all port 80 traffic to port 3000. Then check and see if site is loading without specifying the port in URL. If it works go to step 2.
Step 2:
open the /etc/rc.local file with vim or other editor and add
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3000 to the file. Notice sudo is not included because the file already runs as root. We are implementing step 2 because we want the port redirected when the machine boots up.

How to restrict access from internet to containers ports on remote linux server?

I use docker-compose on ubuntu 18 on remote server.
How, with iptables, can i block access from the internet to the docker port and only allow access to it from the localhost of this server?
For instance, i want to block 4150 port for internet. Trying this:
iptables -A DOCKER-USER -p tcp --dport 4150 -j DROP does not block the port - still can access to it from the internet (not from server machine).
How can i block access from internet to all ports that are on the server, but allow only 22,80 ? And keep that ports available from localhost of the server (eg from the server itself) ?
Not the IPTables based solution you're looking for, but a much simpler solution is to only publish to a specific interface, instead of all interfaces. And when that interface is the loopback interface, e.g. 127.0.0.1, you'll only be able to access the port locally. To do this, add the interface to the beginning of the publish spec:
docker run -p 127.0.0.1:4150:4150 ...
Or a similar syntax in the compose file:
...
ports:
- 127.0.0.1:4150:4150
...
As for why the command you tried using didn't work, this needs conntrack to get the original port rather than the docker mapped port:
iptables -I DOCKER-USER -p tcp -m contrack --ctorigdstport 4150 -j DROP
This also changed from -A (append) to -I (insert) because there's a default rule to accept everything in that list.

How does one open a tensorboard port in Linux?

I have some tensorboard data and I want my server to let me see the data. I don't want to have to send the tensorboard data files to my computer, so it would be ideal if I can just access them remotely. How does one do that? I would assume that the server would just host it as a normal website? What are the Tensorboard commands for this?
I know that locally one can do:
tensorboard --logdir=path/to/log-directory
and then go to the browser to do:
http://localhost:6006/
but is it possible to the equivalent from a server and then just read the data in my local browser/computer from the server?
Assuming that there is no firewall preventing access to port 6006 from the outside, and that your server's address is server.example.com you should be able to simply type http://server.example.com:6006 into your browser and have it work.
In case of a restrictive firewall, tunneling the tensorboard port over SSH using Local Port Forwarding is a good approach (this is also more secure than opening random ports publicly). When logging in to your server, you could type (for instance):
ssh -L 12345:localhost:6006 server.example.com
After that, start tensorboard on the server as usual, and you will be able to access it at http://localhost:12345 in your browser.
mvoelske instructions for setting up port forwarding are correct. If you have administrative privileges on the machine, you can open port 6006 to your IP address using the following commands:
$ sudo iptables -A INPUT -p tcp -s <insert your ip> --dport 6006 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
$ sudo iptables -A OUTPUT -p tcp --sport 6006 -m conntrack --ctstate ESTABLISHED -j ACCEPT
The iptables change can be saved with the following command:
$ sudo service iptables save
Note that this is for CentOS v6 and below. CentOS v7 and above used Firewalld by default.
If you have reached this stackoverflow question because you are troubleshooting a previously working TensorBoard setup, you might consider adding the --bind-all flag to your command line.
$ tensorboard --logdir=path/to/log-directory --bind-all
This resolved my problem reaching TensorBoard by URL within an internal network.
http://my_server.company.com:6006

How to access Weave DNS-Server from external?

I use the Weave network plugin on a Docker-Swarm.
I created a docker network with a specific IP-Range, different from the default Weave Network, to which I route from my internal network.
To make the containers even better accessible I use weave to attach DNS names like containername.auto.mycompany.de. Now I want to access those from my company Network. The Problem is, that weave only allows access to the weave DNS from the local host.
Like on one of my swarm nodes i can do:
host foobar.auto.mycompany.de 172.17.0.1
Using domain server:
Name: 172.17.0.1
Address: 172.17.0.1#53
Aliases:
foobar.auto.mycompany.de has address 10.40.13.3
Host foobar.auto.mycompany.de not found: 3(NXDOMAIN)
Host foobar.auto.mycompany.de not found: 3(NXDOMAIN)
But I don't find a way to make the weave container accessible on one of the IP's from this (10.40.130/24) docker network or expose the port to the swarm node.
The only way I can think of, but don't like, is doing something like this:
iptables -t nat -A DOCKER -p tcp --dport 53 -j DNAT --to-destination 172.17.0.1:53
(this does not work, it's just the idea)
Or tamper with the weave script to make it expose the port on start of the weave container.
Does anybody know of a better solution?
In fact setting the rules
iptables -A DOCKER -p tcp -m tcp --dport 53 -j DNAT --to-destination 172.17.0.1:53
iptables -A DOCKER -p udp -m udp --dport 53 -j DNAT --to-destination 172.17.0.1:53
does it. When I first tried that, I simply missed to see, that my request would have come from "outside" the server to work, not from inside to the loopback device.
Still not a pretty solution but it does the job. I'm looking forward to see better solutions from you guys.
(Bounty stands!)

Port 80 Websockets on EC2 falls to long polling

I'm using a fresh ubuntu instance and got a sockjs server running on port 80. I can load it on the web browser but then it switches to long polling.
If I switch the port to 81 it all works fine. I even tried running my sockjs server on port 8000 and redirecting traffic from 80 to 8000 using iptables with no luck.
What could be causing this odd behaviour? I'm using EC2 with an Ubuntu 13.04 Linux VM
I have set all the firewall rules to allow traffic through, which it is going through since I can access it in the web browser its just its falling from websockets to using long polling which is really slow.
I did have some problem and add this to iptables to allow Websockets
iptables -I INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Resources