The default iptables configuration on CentOS or RHEL does not allow access to the HTTP (TCP PORT # 80) and HTTPS (TCP PORT # 443) ports used by the Apache web server. You can modify settings using any one of the following three methods:


  1. /etc/sysconfig/iptables : Edit this file to allow or deny access to the Apache Web Server IPv4. You also need to edit the /etc/sysconfig/ip6tables file to allow or deny access to the Apache Web Server IPv6 ports.
  2. system-config-firewall-tui command (runs on ssh text based session) or system-config-firewall command (run on GUI based session) : This is a graphical user interface for setting basic firewall rules. This tool will always overwrite /etc/sysconfig/iptables file.
  3. /sbin/iptables command : Use iptables command directly to modify/append/add firewall rules. The rules can be saved to /etc/sysconfig/iptables file with /sbin/service iptables save command.


Method # 1: Edit /etc/sysconfig/iptables file (recommend for advanced users)


Edit the IPv4 /etc/sysconfig/iptables, enter:
# vi /etc/sysconfig/iptables


Add the following lines, ensuring that they appear before the final LOG and DROP lines for INPUT chain:

## allow everyone to access port 80 and 443 (IPv4 Only)##
 
-A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT


Save and close the file. Restart the IPv4 iptables service:
# service iptables start


Edit the IPv6 /etc/sysconfig/ip6tables, enter:
# vi /etc/sysconfig/ip6tables


Add the following lines, ensuring that they appear before the final LOG and DROP lines for INPUT chain:


## allow everyone to access port 80 and 443 (IPv6 Only)##
 
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT


Save and close the file. Restart the IPv6 iptables service:
# service ip6tables restart


Method # 2: Firewall configuration GUI/TUI tool (recommend for new users)


The system-config-firewall command is a graphical user interface for setting basic firewall rules. You need to have KDE or Gnome installed on the system. Open a terminal and type the following command as root user:
# system-config-firewall


Sample outputs:


Fig.01: GUI tool in action

Fig.01: GUI tool in action


Select services such as WWW, SSH, HTTPS to open port for everyone. Click on Apply button. This tool will generate /etc/sysconfig/iptables as follows:


Sample RHEL CentOS Linux /etc/sysconfig/iptables files

Sample RHEL CentOS Linux /etc/sysconfig/iptables files


A note about text based config tool (recommend for remote server with ssh access)


The sysystem-config-firewall-tui is a command line tool without having the GUI installed on the server:
# system-config-firewall-tuiĀ 


Sample outputs:


Fig.02: system-config-firewall-tui in action

Fig.02: system-config-firewall-tui in action


Select Enabled and Press Tab to select "Customization" :


Fig.03: Opening a port 80

Fig.03: Opening a port 80


Scroll down/up and select SSH, WWW, Secure WWW (HTTPS) and other required ports you wish to open. Finally, select Close button. Finally, press OK button to activate new firewall settings.


Method # 3: /sbin/iptables command line utility (recommend for advanced/expert users only)


Type the following iptables command as root user to open port 80 / 443:


## open port 80 and 443 for everyone ##
/sbin/iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
 
## save newly added firewall rules ##
/sbin/service iptables save
 
## verify new firewall settings 
/sbin/iptables -L -n -v
/sbin/iptables -L INPUT -n -v
/sbin/iptables -L INPUT -n -v | grep :80
/sbin/iptables -L INPUT -n -v | grep :443


The following rule allows access to port 80 and 443 only to 192.168.1.0/24


## Find an appropriate network block, and network mask
## representing the machines on your network which should operate as 
## clients of the Apache Web-server 
 
## Open port 80 and 443 for 192.168.1.0/24 subnet only ##
/sbin/iptables -A INPUT -s 192.168.1.0/24  -m state --state NEW -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 443 -j ACCEPT
 
## save newly added firewall rules ##
/sbin/service iptables save
 
## verify new firewall settings 
/sbin/iptables -L -n -v
/sbin/iptables -L INPUT -n -v
/sbin/iptables -L INPUT -n -v | grep :80
/sbin/iptables -L INPUT -n -v | grep :443


You can block/drop the IP address 202.54.1.1 or subnet 202.54.1.2/29 as follows using iptables:


## Block access to port 80 ##
iptables -A INPUT -s 202.54.1.1 -p tcp --dport 80 -j DROP
iptables -A INPUT -s 202.54.1.2/29 -p tcp --dport 80 -j DROP
 
## block and drop access to port 443 (secure apache web-server)
iptables -A INPUT -s 202.54.1.1 -p tcp --dport 443 -j DROP
iptables -A INPUT -s 202.54.1.2/29 -p tcp --dport 443 -j DROP
 
## save newly added firewall rules ##
/sbin/service iptables save
 
## verify new firewall settings 
/sbin/iptables -L -n -v
/sbin/iptables -L INPUT -n -v | grep 202.54.1.1


Note: To unblock an IP i.e. delete the IP address 202.54.1.1 listed in iptables type the following command:
iptables -D INPUT -s 202.54.1.1 -j DROP