Troubleshooting Remote Port 80 Access Issues: Apache Works Locally but Not Remotely


2 views

When your Apache server responds to local requests but remains inaccessible remotely, it's typically one of these culprits:

# Quick diagnostic commands:
sudo netstat -tuln | grep :80
sudo iptables -L -n -v
curl -I http://localhost
telnet your_server_ip 80

Your current iptables configuration shows a critical issue:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

The rules explicitly allow SSH (port 22) but have a blanket reject for everything else. Let's fix this:

# Add HTTP/HTTPS rules:
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Persist rules (Ubuntu/Debian):
sudo apt-get install iptables-persistent
sudo netfilter-persistent save

Check your Apache configuration files:

# Typical locations:
/etc/apache2/ports.conf
/etc/apache2/sites-enabled/000-default.conf

# Sample correct configuration:
Listen 80

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

The key is ensuring Apache listens on all interfaces (*:80) rather than just localhost.

Before digging deeper, verify basic network connectivity:

# From remote machine:
ping your_server_ip
traceroute your_server_ip
telnet your_server_ip 80

# On server:
sudo tcpdump -i any port 80 -n

If you're running SELinux (common on CentOS/RHEL):

# Check status:
getenforce
sestatus

# If enforcing, try:
sudo setsebool -P httpd_can_network_connect=1
sudo semanage port -a -t http_port_t -p tcp 80

For cloud instances (AWS, GCP, Azure):

  • Check Security Group/Network ACL rules
  • Verify instance-level firewall (like AWS EC2's security groups)
  • Confirm no intermediate proxies are blocking traffic

Run this comprehensive check on your server:

#!/bin/bash
echo "=== Network Interfaces ==="
ip addr show

echo "\n=== Listening Ports ==="
ss -tulnp | grep :80

echo "\n=== Firewall Rules ==="
sudo iptables -L -n -v | grep -A 10 "Chain INPUT"

echo "\n=== Apache Config ==="
grep -r "Listen" /etc/apache2/
grep -r "VirtualHost" /etc/apache2/

echo "\n=== Connection Test ==="
curl -Is http://localhost | head -1

As a temporary workaround, you could test with a different port:

# In Apache config:
Listen 8080

# In iptables:
sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

# Then test with:
curl http://your_server_ip:8080
  1. Firewall allows port 80 (iptables/ufw/firewalld)
  2. Apache listens on 0.0.0.0:80
  3. No network ACLs blocking traffic
  4. SELinux permissions correct (if enabled)
  5. No intermediate devices filtering traffic

When running a Linux server with Apache, you can successfully access port 80 locally via curl localhost:80 and even using the server's external IP (curl SERVERIP:80 from the server itself). However, remote connections to port 80 fail while SSH (port 22) remains accessible.

Current iptables configuration shows:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Netstat output confirms Apache is listening:

tcp        0      0 SERVERIP:80                 0.0.0.0:*                   LISTEN

The iptables rules explicitly allow only:

  • Established connections (RELATED,ESTABLISHED)
  • ICMP traffic
  • SSH (port 22)
  • All other traffic gets rejected with icmp-host-prohibited

Add a rule to accept HTTP traffic before the final REJECT rule:

sudo iptables -I INPUT 5 -p tcp --dport 80 -j ACCEPT

To make changes persistent (on CentOS/RHEL):

sudo service iptables save

For Ubuntu/Debian systems using UFW (alternative approach):

sudo ufw allow 80/tcp
sudo ufw reload

After implementing the solution:

  1. Check updated iptables rules: sudo iptables -L -n -v
  2. Test remote access: curl http://SERVERIP from external machine
  3. Verify Apache logs: tail -f /var/log/apache2/access.log

If the issue persists, check these additional factors:

  • Network ACLs: Cloud providers often have separate security groups
  • SELinux: May need adjustment with setsebool -P httpd_can_network_connect 1
  • Apache configuration: Verify Listen 80 directive isn't restricted to localhost
# Sample Apache config check
grep -E "Listen|<VirtualHost" /etc/apache2/ports.conf /etc/apache2/sites-enabled/*