After installing Apache Tomcat on a CentOS server, you can successfully access it via http://localhost:8080 from the local machine. However, attempts to reach the server from other devices on the same network fail, eventhough ICMP ping requests are answered. The root cause is typically the system firewall blocking incoming connections on port 8080.
While disabling the firewall entirely resolves the issue, it exposes the server to unnecessary risks. A more secure and recommended approach is to explicitly allow traffic on port 8080 through the firewall rules.
Option 1: Disable the Firewall (Not Recommended)
To temporarily stop the firewall:
sudo systemctl stop firewalld
To disable it permanently (across reboots):
sudo systemctl disable firewalld
This method is simple but compromises security. It should only be used in isolated, non-production environments.
Option 2: Allow Port 8080 via Firewall Rules (Recommended)
Modern CentOS systems use firewalld instead of the legacy iptables. The following steps apply to systems running firewalld:
First, check the current firewall status:
sudo firewall-cmd --state
Then, add a permanent rule to allow HTTP traffic on port 8080:
sudo firewall-cmd --permanent --add-port=8080/tcp
Reload the firewall to apply the changes:
sudo firewall-cmd --reload
Verify the rule was added successfully:
sudo firewall-cmd --list-all
You should now see ports: 8080/tcp listed in the output. From any device on the local network, you can now access Tomcat using the server’s IP address: http://<server-ip>:8080.
Understanding Firewall Chains and Rules
Firewalls like firewalld and iptables operate by filtering network packets based on predefined rules organized into chains. Each chain evaluates packets as they enter, leave, or pass through the system.
- INPUT: Controls incoming packets destined for the local machine.
- OUTPUT: Manages outgoing packets generated by the local machine.
- FORWARD: Handles packets routed through the machine (relevant for gateway or NAT setups).
Rules are processed in order. The first matching rule determines the action (ACCEPT, REJECT, DROP, etc.). By default, firewalld uses zones to group interfaces and services, making rule management more intuitive than raw iptables configuration.
Using firewalld with service names or port-specific rules ensures granular control without exposing the entire system. For example, instead of opening a raw port, you could also add Tomcat as a service if a predefined service definition exists:
sudo firewall-cmd --permanent --add-service=tomcat
sudo firewall-cmd --reload
This approach enhances maintainability and reduces configuration errors.