13/100 IPtables Installation and Config

We have one of our websites up and running on our Nautilus infrastructure in Stratos DC. Our security team has raised a concern that right now Apache’s port i.e 5002 is open for all since there is no firewall installed on these hosts. So we have decided to add some security layer for these hosts and after discussions and recommendations we have come up with the following requirements:

Tasks:
1. Install iptables and all its dependencies on each app host.
2. Block incoming port 5002 on all apps for everyone except for LBR host.
3. Make sure the rules remain, even after system reboot.

ssh tony@stapp01
sudo dnf install iptables-services -y

ss -tuln | grep 5002 # or netstat -tulpn | grep 5002
tcp   LISTEN 0      511          0.0.0.0:5002       0.0.0.0:*
#This shows that anyone can access port 5002

#Check iptables to see what rules if any are in place
iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION-STAGE-1  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0 

#Check to see if iptables is running, if not start the service:
systemctl status iptables
○ iptables.service - IPv4 firewall with iptables
     Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; preset: disabled)
     Active: inactive (dead)

sudo systemctl restart iptables
● iptables.service - IPv4 firewall with iptables
     Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; preset: disabled)
     Active: active (exited) since Thu 2025-09-04 14:58:18 UTC; 3min 39s ago
sudo systemctl enable iptables

#Add the allow rule from the LBR Host
sudo iptables -I INPUT 1 -p tcp -s 172.16.238.14 --dport 5002 -j ACCEPT
sudo service iptables save

#Block everyone else
sudo iptables -I INPUT 6 -p tcp --dport 5002 -j REJECT
sudo service iptables save

Repeat the process on stapp02 and stapp03 - Remember to check you can access the apps by ssh via the stlb01 server with the user loki, do this using telnet telnet stapp01 5002