I don't know much about web servers or HAProxy, but I can give you some IPtables advice and then answer your question.
- IPtables reads the rules top-down and stops reading the rules when it reaches a DROP, REJECT, or ACCEPT.
- IPtables is case-sensitive.
Accept is not the same as ACCEPT
- IPtables policy
-P is used when no other rule in the table applies to a given packet.
- Make sure when you are adding new IPtables rules, you are flushing the old ones out by entering
iptables -t filter -F and then iptables -t filter -X. These two commands will flush the filter table (default table) and also clear out any subchains in the table.
- Make sure rules on the clients are reflected on the host and make sure rules on the host are reflected on the clients.
To answer your question...
First, try completely flushing your firewall by running these commands to flush all of the tables in IPtables:
iptables -t raw -F
iptables -t mangle -F
iptables -t nat -F
iptables -t filter -F
iptables -t raw -X
iptables -t mangle -X
iptables -t nat -X
iptables -t filter -X
Then make sure no other firewall is running.
CentOS/Fedora/Rhel:
systemctl stop firewalld
Debian/Ubuntu:
systemctl stop ufw
Then, do some testing. Does HAProxy work? If it does work, your problem is the firewall. If it does not work, then you need to revise your IPtables rules. Maybe start by making your IPtables rules as non-specific as possible and then become more and more specific. Here are my recommendations to start off on:
Make sure loopback traffic is enabled on the server. Loopback traffic never leaves the server:
iptables -t filter -A INPUT -i lo -j ACCEPT
Try whitelisting the IP of the HAProxy server instead of the port:
iptables -t filter -A INPUT -s ${HAPROXY_IP} -j ACCEPT
Allow ESTABLISHED and RELATED connections:
iptables -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
