Challenge, Medium,  on  LinuxNetworking

Protect an Unintentionally Exposed Server Port with Firewall Rules

In this challenge, an HTTP service is already running on port 8080 of the server machine. The problem? It's exposed to the entire network, and anyone can reach it, even though it was meant to be accessible only from the same machine.

Simple firewall setup visualized: a Linux server with a process listening on 0.0.0.0:8080 and a firewall rule blocking incoming traffic on port 8080 from external sources.

Your mission: protect the port using only firewall rules so that the service remains accessible for local clients but is blocked from external access.

Important: You must not stop, restart, or reconfigure the service itself. The service must keep running and listening on 0.0.0.0:8080 as is. The only thing you're allowed to change is the firewall configuration.

Objectives

Hint 1

Linux has built-in firewalling mechanisms:

  • iptables - the traditional packet filtering framework with a large ecosystem
  • nftables - a more modern and flexible successor to iptables, but also more complex

You can either use them directly or rely on a higher-level “frontend” tool:

  • ufw - a simple and relatively user-friendly firewall tool
  • firewalld - a more advanced tool designed for dynamic environments

Check the documentation for each tool to learn how to use them.

Hint 2

You need to block incoming traffic on port 8080 from external sources while still allowing connections from the server machine itself. To test the service is still accessible locally, you can use the following commands:

curl http://localhost:8080/
curl http://192.168.100.10:8080/

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge linux-protect-ports

This will create a local copy of the challenge content in a directory named linux-protect-ports. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge linux-protect-ports

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge