Help Center/ Elastic Cloud Server/ Troubleshooting/ Firewall Configuration Issues/ Why Does My Linux ECS Fail to Access the Internet After Port 80 Is Allowed by the Firewall Rules?
Updated on 2024-08-15 GMT+08:00

Why Does My Linux ECS Fail to Access the Internet After Port 80 Is Allowed by the Firewall Rules?

Symptom

The Linux ECS cannot access the Internet after port 80 is allowed by the firewall rules. After the firewall is disabled, access to the Internet succeeds.

Possible Causes

The possible cause is that the firewall rules and the NIC interfaces are in different zones. You can perform the following steps to check the causes.

  1. Run the following command to check the specified zone by and the open port of the firewall:
    firewall-cmd --list-all

    As shown in the following figure, the firewall zone is public, the open port is 80, and the NIC interface is eth0.

    Figure 1 Viewing firewall information
  2. Run the following command to check the NIC interface zone:
    firewall-cmd --get-active-zones

    The following figure shows the NIC interface zone is external.

    Figure 2 Checking the NIC interface zone
  3. Run the following command to check whether port 80 is enabled in the external zone. Figure 3 shows an example.
    firewall-cmd --zone=external --list-ports
    Figure 3 The port not enabled in the external zone

    Port 80 is not enabled in the external zone.

  4. Run the following command to check whether port 80 is enabled in the public zone. Figure 4 shows an example.
    firewall-cmd --zone=public --list-ports
    Figure 4 The port enabled in the public zone

    Port 80 is enabled in the public zone.

Therefore, the Linux ECS cannot access the Internet because the firewall rules and the NIC interfaces are in different zones.

Solution

Method 1

Perform the following steps to add firewall rules to enable port 80 in specified zone (external) of the NIC interface.

  1. Run the following command to enable port 80 in the external zone:
    firewall-cmd --zone=external --add-port=80/tcp --permanent
    Figure 5 Enabling port 80 in the external zone
  2. Run the following command to update firewall rules:
    firewall-cmd --reload
    Figure 6 Updating firewall rules
  3. Run the following command to check firewall rules:
    firewall-cmd --zone=external --list-ports
    Figure 7 Checking firewall rules

Method 2

Perform the following steps to change the specified zone of the NIC interface from external to public:

  1. Run the following command to change the specified zone of the NIC interface:
    firewall-cmd --zone=public --change-interface=eht0
    Figure 8 Changing the specified zone of the NIC interface
  2. Run the following command to check the specified zone of the NIC interface:
    firewall-cmd --get-active-zones
    Figure 9 Checking the specified zone of the NIC interface