Why cannot I access my website when port 80 is not blocked?

Question

On my VPS(CentOS 7), the default iptables is:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I cannot visit my website set up using Apache/2.4.6, the browser displays: "The connection was reset".

If I insert a rule to accept tcp connection on port 80 in iptables using "iptables -I INPUT -p tcp --dport=80 -j ACCEPT", everything is ok, the website can be visited without problem. The iptables is:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I wonder why I should add the rule because in old iptables, the third rule is "ACCEPT all -- 0.0.0.0/0 0.0.0.0/0", which means it will accept all connections to all ports. Did I misunderstand something?

Michael Hampton · Accepted Answer · 2020-09-13T04:44:55.500

Yes, you missed an important detail. But it's not your fault; this is very poorly documented and apparently not well known.

The iptables command has a significant design flaw: It doesn't actually display the complete firewall rule unless you use the -v command line option.

If you repeat the iptables command and add -v you will see that that rule accepts all traffic on the interface named lo, that is all localhost traffic.

target     prot opt in     out     source               destination 
ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0

Since iptables is now deprecated, and the flaw has been there basically forever, it is unlikely that this will ever be changed.

Why cannot I access my website when port 80 is not blocked?

1 Answers1