Resolving Apache Server Issues: Allowing Only Localhost Access While Blocking External Connections - An In-Depth Analysis of Firewall Configuration

Problem Context and Symptom Analysis

When deploying web servers in cloud computing environments, a common yet often overlooked issue occurs when Apache HTTP servers, after configuration, respond only to localhost requests while rejecting connections from external networks. This typically manifests as: successful remote SSH connections to the server, but connection refusals when attempting to access the HTTP port (80) via browsers or telnet.

Technical Diagnosis and Root Cause

Checking port listening status with netstat -tulpn confirms Apache is indeed listening on port 80:

tcp    0    0 :::80     :::*    LISTEN    -

This indicates the Apache service itself is functioning properly, suggesting the issue likely resides at the network level. Further examination of iptables firewall rules reveals:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

The critical finding is: firewall rules explicitly permit SSH connections (state NEW tcp dpt:ssh) but lack a similar rule for HTTP port (80). The default state RELATED,ESTABLISHED rule only allows established connections to pass, meaning new HTTP connection requests are rejected by the subsequent REJECT rule.

Solution One: Adding HTTP Rules Using iptables

For traditional iptables configurations, a specific rule allowing new HTTP connections must be added. It is recommended to insert the rule at an appropriate position to ensure it takes effect before rejection rules:

sudo iptables -I INPUT 4 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

Explanation of this command:

• -I INPUT 4: Insert new rule at position 4 in the INPUT chain
• -p tcp: Specify TCP protocol
• -m state --state NEW: Match new connection state
• -m tcp --dport 80: Match destination port 80
• -j ACCEPT: Execute accept action

After adding the rule, configuration must be saved to ensure persistence after reboot:

sudo /etc/init.d/iptables save

Solution Two: Utilizing firewalld Management Tools

For CentOS 7 and later versions, the system defaults to using firewalld as the firewall management tool. First check firewalld status:

firewall-cmd --state

If it returns "running", temporary HTTP access can be enabled for testing:

sudo firewall-cmd --zone=public --add-service=http

After confirming the issue is resolved, add permanent rules:

sudo firewall-cmd --zone=public --permanent --add-service=http

If immediate effect is required, restart the firewalld service:

sudo systemctl restart firewalld.service

Configuration Verification and Best Practices

After configuration, HTTP connections should be tested from external networks. Recommended practices include:

1. Regularly reviewing firewall rules to ensure unnecessary ports aren't inadvertently opened
2. In production environments, considering more granular access controls such as limiting specific IP address ranges
3. Maintaining documentation of firewall rules to facilitate team collaboration and troubleshooting

Understanding the relationship between firewall configuration and network service access control is a crucial skill in Linux system administration and web server deployment. Proper configuration of iptables or firewalld ensures Apache servers operate securely while responding normally to external requests.