By default Apache webserver listen on port 80 (http) and port 443 (https i.e. secure http). Apache webserver uses the TCP protocol to transfer information/data between server and browser. The default Iptables configuration does not allow inbound access to the HTTP (80) and HTTPS (443) ports used by the web server. This post explains how to allow inbound and outbound access to web services under Linux.

You can edit /etc/sysconfig/iptables file under RHEL / CentOS / Fedora Linux. Add the following lines, ensuring that they appear before the final LOG and DROP lines for the RH-Firewall-1-INPUT chain to open port 80 and 443:

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

Finally, restart the firewall:
# service iptables restart
If you’ve your own shell script, try:

/sbin/iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

Allow incoming http/web traffic at port 80

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 80 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Allow incoming https/secure web traffic at port 443

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 443 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Allow outgoing http/web service traffic to port 80

iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 1024:65535 -d 0/0 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 80 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Allow outgoing https/secure web service traffic to port 443

iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 1024:65535 -d 0/0 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 443 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 13 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf duf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Modern utilitiesbat exa
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg glances gtop jobs killall kill pidof pstree pwdx time vtop
Searchingag grep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
13 comments… add one
  • Sunil Shrestha Dec 29, 2006 @ 7:46

    grate site

  • Uttam Shrestha Rana Mar 1, 2007 @ 9:33

    How to configure Squid server with bandwidth limitation for particular network ips?
    If you response with the configuration, then it will be great help me if not also, from this site i have got lots of information. Thanks. Its a greate knowledge protal.

  • Vasanth kumar Aug 2, 2007 @ 21:51

    In windows how to block https site like Gmail

  • kunal Feb 25, 2008 @ 11:48

    Script to block incoming HTTP request from an IP say after 20 continue requests.

    Thanks in advance

  • kunal Feb 25, 2008 @ 11:49

    Just to add one more thing IP blocking should be done for certain period of time say 5 hrs and after unblock that IP.

  • Liju Jul 4, 2008 @ 15:39

    This would be much simple and better. There is no necessary to permit the oubound traffic to be opend and can be avoided.

    # Allow incoming port 80 and 443 (http/s) traffic
    /sbin/iptables -A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
    /sbin/iptables -A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT

  • Well... May 8, 2009 @ 5:17

    …you all forgot to mention that conntrack has to be enabled as well. Otherwise only the first packet of the connection is let in, but the “real” data is still blocked… 😉

  • Yogesh Jul 31, 2010 @ 8:42

    To block Gtalk, i want to set the restriction to this address:,, and on ports 20, 21, 80, 443, 5222 and 5223

    How can I block these addresses to block Gtalk and request in transparent proxy.I am using the same script provided by nixcraft to configure Transparent proxy.

  • pron Sep 21, 2010 @ 18:38


    can you give opposite – i need example how to configure iptables for webserver, that need access to windows local network also.

    thank you in advance!

  • shahadat Dec 4, 2011 @ 4:06

    hello sir,
    how way bock https port number in the linux Ip table. Actually I wanted bock the browser by the https port way. like facebook.


  • Chris D. Dec 23, 2011 @ 9:39

    I have open port 80 as you describe here but I cannot access my site from web.
    I have also configure router to forward port 80 to the pc with the apache server.
    Have you any idea what could be the problem?
    Thanks in advance.

  • Yogesh Apr 18, 2012 @ 11:21

    I am using squid proxy server in a non-transparent mode. mean everybody need to set the proxy in their browsers. These settings prevent my users to connect to any other port except 80.

    But for some reason I have to grant my IT team to access some port specific software like sqlyog, eclips etc to a particular server IP address
    To allow I do run this command.
    iptables -t nat -A POSTROUTING -s -p tcp -m state –state NEW,ESTABLISHED -j SNAT –to-source server_public_ip
    But This command opens everything i.e gtalk, msn messenger, bit-torrents etc so I want to limit my users to make connection to required server only so that they can connect the MySQL server only using SQLYog etc.

    I have two Interface on proxy server eth0 (Public Interface) eth1 (local interface)
    local intyerface is connected to my local network only.

    Please help

  • Yogesh Apr 19, 2012 @ 10:55

    Anyone have any idea how to do it ??

    Pls help

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum