6

Currently I have an application that is running on 8080 front-ended by mod_proxy.

    <Location /hudson>
            Order allow,deny
            Allow from all
            ProxyPass http://localhost:8080/hudson
            ProxyPassReverse http://localhost:8080/hudson
    </Location>

I need to block TCP 8080 but not for the localhost how can this be done with IPtables?

Joey BagODonuts
  • 1,635
  • 2
  • 16
  • 16

3 Answers3

15

This would work:

iptables -A INPUT ! -s 127.0.0.1 -p tcp -m tcp --dport 8080 -j DROP
Pratik Amin
  • 3,293
  • 3
  • 20
  • 19
7

You could try the following:

// accept all tcp on port 8080 from localhost  
iptables -I INPUT 1 -i lo -p tcp --dport 8080 -j ACCEPT  

[...] all your other rules  
// drop all other packets  
iptables -A INPUT -j DROP

If you wanted to allow also 1 (or more) external/other IP you can use this: 

// accept tcp on port 8080 from allowed_ip  
iptables -I INPUT 3 -i eth0 -p tcp --dport 8080 -s allowed_ip -j ACCEPT

Let me know how it goes :)

Zoredache
  • 128,755
  • 40
  • 271
  • 413
Joshua D'Alton
  • 428
  • 2
  • 13
1

Another approach: in server listening 8080, bind only to localhost: For apache it looks like following:

Listen 127.0.0.1:8080
<VirtualHost 127.0.0.1:8080>
...
</VirtualHost>
rvs
  • 4,027
  • 1
  • 25
  • 30
  • good answer. however he might want to have over virtual hosts listen on netIP. – Joshua D'Alton Mar 18 '11 at 07:08
  • Yep, this would not work for all cases, but when you only need to connect from loalhost and nothing else, it's better to listen on 127.0.0.1 and don't have any iptables rules at all (especially for high loaded machines). – rvs Mar 18 '11 at 07:51