How to Properly Open Port 8080 in iptables for Python Web Applications


3 views

Looking at your setup, I can see you're running a Python web server that's correctly listening on port 8080 (as shown by your netstat output), but the traffic isn't getting through your firewall. Your iptables configuration shows some interesting details:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   49  3388 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 
  25M 3736M RH-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

The issue is that your custom RH-Firewall-1-INPUT chain has a final REJECT rule that's blocking all traffic not explicitly allowed earlier in the chain. While you've added a rule to allow port 8080, it's in the wrong place - it's in the main INPUT chain, not the RH-Firewall-1-INPUT chain where it needs to be.

Here's how to correctly add the rule:

# First, insert the rule at the right position in RH-Firewall-1-INPUT
sudo iptables -I RH-Firewall-1-INPUT 7 -p tcp --dport 8080 -j ACCEPT

# Save the rules (this varies by distribution)
# For RHEL/CentOS:
sudo service iptables save
# For Ubuntu/Debian:
sudo iptables-save > /etc/iptables.rules

After adding the rule, verify it appears in the correct position:

sudo iptables -vnL RH-Firewall-1-INPUT --line-numbers

You should see your new rule before the final REJECT rule in the chain.

For more complex setups, you might want to:

# Allow only from specific IP range
sudo iptables -I RH-Firewall-1-INPUT 7 -s 192.168.1.0/24 -p tcp --dport 8080 -j ACCEPT

# Allow both IPv4 and IPv6
sudo ip6tables -I RH-Firewall-1-INPUT 7 -p tcp --dport 8080 -j ACCEPT

If it still doesn't work:

  1. Check SELinux: sudo setsebool -P httpd_can_network_connect 1
  2. Verify the Python app is binding to 0.0.0.0 (not 127.0.0.1)
  3. Test locally first: curl http://localhost:8080

For production servers, consider:

# Rate limiting to prevent abuse
sudo iptables -I RH-Firewall-1-INPUT 7 -p tcp --dport 8080 -m connlimit --connlimit-above 50 -j REJECT

# Logging dropped packets for debugging
sudo iptables -I INPUT -p tcp --dport 8080 -j LOG --log-prefix "Port8080 "

From your netstat output, we can see your Python application is correctly listening on port 8080:

tcp        0      0 0.0.0.0:8080                0.0.0.0:*                   LISTEN      18209/python

The issue lies in the firewall configuration. Your iptables rules show that while you've added a rule for port 8080 in the INPUT chain, it's not properly integrated with your firewall structure.

Your server appears to be using a custom chain called RH-Firewall-1-INPUT, which is referenced from the main INPUT chain. The current rule you added:

/sbin/iptables -A RH-Firewall-1-INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT

This might not be working because:

  • The rule is added at the end of the chain, after the REJECT rule
  • It's specific to eth0 interface which might not be your active interface
  • The chain processing stops at the first matching rule

Here's the correct way to open port 8080:

# Add the rule to the custom firewall chain before the reject rule
/sbin/iptables -I RH-Firewall-1-INPUT 8 -p tcp --dport 8080 -j ACCEPT

# Alternative: Add to main INPUT chain (works in most cases)
/sbin/iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

# Make sure the rule is properly ordered
/sbin/iptables -L RH-Firewall-1-INPUT --line-numbers

After adding the rule:

# Check if the rule exists
iptables -L RH-Firewall-1-INPUT -n | grep 8080

# Test connectivity
curl -v http://localhost:8080
telnet your-server-ip 8080

On CentOS/RHEL systems:

service iptables save
# Or
/etc/init.d/iptables save

For other distributions, you may need to:

iptables-save > /etc/sysconfig/iptables

If it's still not working:

# Check if SELinux is blocking the port
getsebool -a | grep httpd
setsebool -P httpd_can_network_connect 1

# Verify network interface
ip addr show

Here's a full example of opening port 8080 for a Python web application:

# Allow incoming TCP connections on port 8080
iptables -I INPUT 5 -p tcp --dport 8080 -m state --state NEW -j ACCEPT

# If using a custom chain like yours
iptables -I RH-Firewall-1-INPUT 8 -p tcp --dport 8080 -m state --state NEW -j ACCEPT

# Save rules
service iptables save

# Restart iptables
service iptables restart

Remember to test your application both locally and remotely to verify the port is properly accessible.