Wget, Curl, Yum Fail but Ping works - CentOS 5

We currently have three webservers.

Servers one and two behave, but I'm having real problems with the third.

wget, curl and yum all fail to make their connections - that is, they all hang after resolving the host and attempting a connection.

Example (I have tried many different urls):

# wget http://rpm.pbone.net/index.php3/stat/4/idpl/13941547/dir/centos_5/com/httpd-2.2.3-43.el5.centos.i386.rpm.html
--2010-09-02 20:00:26--  http://rpm.pbone.net/index.php3/stat/4/idpl/13941547/dir/centos_5/com/httpd-2.2.3-43.el5.centos.i386.rpm.html
Resolving rpm.pbone.net... 85.14.85.4
Connecting to rpm.pbone.net|85.14.85.4|:80... 

... hang

# curl -v http://rpm.pbone.net/index.php3/stat/4/idpl/13941547/dir/centos_5/com/httpd-2.2.3-43.el5.centos.i386.rpm.html
* About to connect() to rpm.pbone.net port 80
*   Trying 85.14.85.4... 

... hang

#yum -d9 update
Loading "fastestmirror" plugin
Config time: 0.052
Running "init" handler for "fastestmirror" plugin
Yum Version: 3.2.22
COMMAND: yum -d9 update 
Installroot: /
Setting up Package Sacks
Running "postreposetup" handler for "fastestmirror" plugin
Loading mirror speeds from cached hostfile

... hang

but:

# ping rpm.pbone.net
PING gepard.pbone.net (85.14.85.4) 56(84) bytes of data.
64 bytes from gepard.pbone.net (85.14.85.4): icmp_seq=1 ttl=49 time=449 ms
64 bytes from gepard.pbone.net (85.14.85.4): icmp_seq=2 ttl=49 time=448 ms
64 bytes from gepard.pbone.net (85.14.85.4): icmp_seq=3 ttl=49 time=444 ms
64 bytes from gepard.pbone.net (85.14.85.4): icmp_seq=4 ttl=49 time=445 ms
64 bytes from gepard.pbone.net (85.14.85.4): icmp_seq=5 ttl=49 time=457 ms

I'm far from a server expert, does anyone have any pointers on where to start solving this?

EDIT:

# netstat -lan | egrep LISTEN
tcp        0      0 0.0.0.0:941                 0.0.0.0:*                   LISTEN      
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN      
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      
tcp        0      0 :::80                       :::*                        LISTEN      
tcp        0      0 :::22                       :::*                        LISTEN      
unix  2      [ ACC ]     STREAM     LISTENING     7451   /tmp/.font-unix/fs7100
unix  2      [ ACC ]     STREAM     LISTENING     7678   @/tmp/fam-root-
unix  2      [ ACC ]     STREAM     LISTENING     5824   @/var/run/hald/dbus-3hUBzR5e9e
unix  2      [ ACC ]     STREAM     LISTENING     5087   /var/run/audispd_events
unix  2      [ ACC ]     STREAM     LISTENING     5825   @/var/run/hald/dbus-rDLe61j4bM
unix  2      [ ACC ]     STREAM     LISTENING     5545   /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     5616   /var/run/sdp
unix  2      [ ACC ]     STREAM     LISTENING     5749   /var/run/pcscd.comm
unix  2      [ ACC ]     STREAM     LISTENING     5782   /var/run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     7075   /var/run/cups/cups.sock
unix  2      [ ACC ]     STREAM     LISTENING     7585   /var/run/avahi-daemon/socket
unix  2      [ ACC ]     STREAM     LISTENING     7389   /dev/gpmctl

# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
RH-Firewall-1-INPUT  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere            icmp any 
ACCEPT     esp  --  anywhere             anywhere            
ACCEPT     ah   --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns 
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp 
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

You have firewall rules in place that are blocking port 80 outbound, or refusing the reciprocal inbound response. These can be software firewall rules which may be blocking port 80 specifically or all of TCP (PING is ICMP), check with:
iptables -L as ErikA pointed out above.
It could also be a hardware firewall issue - is the server behind a Cisco firewall? Consult your locate sysadmin. If you can curl from other machines, they have :80 open. It's also possible, but unlikely, that they're blocking you are their side, but if you can't curl anything (even google), it's your side.


Well, ping uses ICMP, whereas all of those HTTP clients use TCP port 80. Could that be blocked between your source and destination?


How would I check that something is listening on port 80, and that there are no firewall rules that would block traffic to oprt 80 from the IP I'm testing from?

  • netstat -anp
  • iptables -vL