When deploying Nginx using a Hong Kong cloud server, a firewall configuration conflict is a common problem that causes the server to become inaccessible. This type of conflict is likely due to the impact of local firewall rules, cloud platform security group policies, and the interaction of the security module of the operating system. When a user uses a browser to access the Hong Kong cloud server, "connection timeout" or "access denial" occurs. In this case, every link of the network link needs to be systematically checked.

When the Nginx service is started but cannot be accessed through the public network, you need to determine the problem level: The Nginx service does not properly listen to the port, the service is not running or is incorrectly configured, resulting in no traffic at all. Local firewall block: the iptables/firewalld rule does not permit the HTTP/HTTPS port (80/443). Cloud platform security group restrictions: The security group of the cloud service provider denies all inbound traffic by default. You need to manually add rules. SELinux policy blocks, forcing access control mechanisms to restrict Nginx bond ports or access resources. Multi-layer rule stack conflict: Rule priorities of different firewall tools cause unexpected blocking.

The first step is to verify the Nginx service status to ensure that Nginx is properly started and listening to the target port. Check service status

systemctl status nginx

Check the port listening status

netstat tuln | grep ':80\|:443'

Or use the ss command

ss tuln | grep E '(80|443)'

Local loopback test

curl I http://localhost

If the service is not running, start Nginx and reload the configuration:

systemctl start nginx
systemctl reload nginx

If curl can be accessed locally but not on the public network, the fault is concentrated on the firewall or security group.

Step 2 Check the local firewall rules. Select a tool based on your Linux distribution:

iptables (CentOS 6/Ubuntu)

View the current Hong Kong cloud server rules

iptables L n v

Port 80/443 is temporarily released (failed to restart).

iptables I INPUT p tcp dport 80 j ACCEPT
iptables I INPUT p tcp dport 443 j ACCEPT

Save Rules (CentOS)

service iptables save
iptablespersistent must be installed on Ubuntu
sudo apt install iptablespersistent
sudo netfilterpersistent save
firewalld (CentOS 7+/Ubuntu)

Check that the port of the Hong Kong cloud server has been opened

firewallcmd listports

Permanently add the HTTP/HTTPS service

firewallcmd permanent addservice=http
firewallcmd permanent addservice=https
firewallcmd reload

If there are complex rules before, try to temporarily close the firewall test, temporarily shut down (not recommended for production environments)

systemctl stop firewalld or ufw disable

Step 3 Configure cloud platform security groups. The security group of the cloud service provider is a virtual firewall, which is independent of the operating system and needs to be configured separately. Go to EC2 Console → Security Groups → Edit inbound rules. Add rules:

Type: HTTP (80), HTTPS (443)
Source: 0.0.0.0/0 (or limited IP range)

Critical verification ensures that the security group is bound to the target Hong Kong cloud server instance; Check whether the denied rule overrides the allowed rule with a higher priority.

The fourth step deals with SELinux policy restrictions. SELinux may prevent Nginx from binding ports or accessing file resources:

Check the SELinux status

getenforce output Enforcing Indicates that the command is enabled

Temporary disabled (test only)

setenforce 0

Permanently modify the policy. Allows Nginx to use port 80/443:

semanage port a t http_port_t p tcp 80
semanage port a t http_port_t p tcp 443

If Nginx needs to access a non-default directory (such as /data/html), fix the file context:

chcon R t httpd_sys_content_t /data/html

Step 5 Multi-tool prioritization and conflict handling. When using iptables and firewalld together, the rule loading order may cause conflicts:

The ufw is essentially a front-end tool of iptables, and rules are written into the iptables chain. Ensure that the ufw rules do not conflict with other manual iptables rules. View Active Rules

iptables L n v

firewalld dynamically manages iptables rules. Manually running the iptables command may overwrite the rules. You are advised to use firewalld for unified management.

The essence of the conflict between Nginx and firewall is the result of multi-layer superposition of network policies. From local iptables to cloud security groups, from SELinux to container networks, every layer can be an "invisible barrier" to traffic. To solve such problems, it is necessary to establish a systematic investigation thinking: from the service state, through the local firewall, to the cloud policy, and finally to the system security module. Only layer by layer verification and precise disassembly can ensure smooth service in a complex architecture.