After proxying a service with Nginx, it’s always a good idea to block the service from direct remote access. For example, you have a tomcat server running on port 8080, and you’ve configured Nginx to proxy requests from port 80 to port 8080. The port 8080 should then be blocked from any host except localhost.
To do this on Linux, one of the ways is to just install iptables. On Ubuntu, issue the following commands to install and add rules:
Bothered by SLOW Web UI to manage vSphere? Want to manage ALL your VMware vCenters, AWS, Azure, Openstack, container behind a SINGLE pane of glass? Want to search, analyze, report, visualize VMs, hosts, networks, datastores, events as easily as Google the Web? Find out more about vSearch 3.0: the search engine for all your private and public clouds.
# apt-get install iptables # iptables -A INPUT -p tcp -s localhost --dport 8080 -j ACCEPT # iptables -A INPUT -p tcp --dport 8080 -j DROP
There is not much to say about the installation. For the two commands after that are adding rules. The first rule says that the ip packets from localhost (-s localhost) to the port 8080 (–dport 8080) with TCP protocol (HTTP uses TCP) should be accepted. The second rule says that any packets to the port 8080 (–dport 8080) with TCP protocol should be DROPped. These two rules may sound contradict to each other, but because it’s checked sequentially it works fine.
To list existing rules:
# iptables -L -n -v
To flush out (delete) rules, just use the following commands:
# iptables -F
The rules added to iptables take effects immediately. But it does NOT persist over reboot. To achieve that, an easy way is to install another package called iptables-persistent as follows:
# apt-get install iptables-persistent # iptables-save > /etc/iptables/rules.v4
To learn more about iptables, I found these links pretty helpful: