Linux Firewall with iptables Command

After proxying a service with Nginx, it’s always a good idea to block the service from direct remote access. For example, you have a tomcat server running on port 8080, and you’ve configured Nginx to proxy requests from port 80 to port 8080. The port 8080 should then be blocked from any host except localhost.

To do this on Linux, one of the ways is to just install iptables. On Ubuntu, issue the following commands to install and add rules:

Lost VMs or Containers? Too Many Consoles? Too Slow GUI? Time to learn how to "Google" and manage your VMware and clouds in a fast and secure HTML5 App.

# apt-get install iptables
# iptables -A INPUT -p tcp -s localhost --dport 8080 -j ACCEPT
# iptables -A INPUT -p tcp --dport 8080 -j DROP

There is not much to say about the installation. For the two commands after that are adding rules. The first rule says that the ip packets from localhost (-s localhost) to the port 8080 (–dport 8080) with TCP protocol (HTTP uses TCP) should be accepted. The second rule says that any packets to the port 8080 (–dport 8080) with TCP protocol should be DROPped. These two rules may sound contradict to each other, but because it’s checked sequentially it works fine.

To list existing rules:

# iptables -L -n -v

To flush out (delete) rules, just use the following commands:

# iptables -F

The rules added to iptables take effects immediately. But it does NOT persist over reboot. To achieve that, an easy way is to install another package called iptables-persistent as follows:

# apt-get install iptables-persistent
# iptables-save > /etc/iptables/rules.v4

To learn more about iptables, I found these links pretty helpful:

Linux: 20 Iptables Examples For New SysAdmins

25 Most Frequently Used Linux IPTables Rules Examples

This entry was posted in Applications & Tools and tagged , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.

One Comment

  1. Posted April 29, 2016 at 4:26 am | Permalink

    How to direct incoming traffic from a trusted network to a chain?

    -A FORWARD -i eth1 -o trusted-outside -j ACCEPT

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>


    My company has created products like vSearch ("Super vCenter"), vijavaNG APIs, EAM APIs, ICE tool. We also help clients with virtualization and cloud computing on customized development, training. Should you, or someone you know, need these products and services, please feel free to contact me: steve __AT__

    Me: Steve Jin, VMware vExpert who authored the VMware VI and vSphere SDK by Prentice Hall, and created the de factor open source vSphere Java API while working at VMware engineering. Companies like Cisco, EMC, NetApp, HP, Dell, VMware, are among the users of the API and other tools I developed for their products, internal IT orchestration, and test automation.