iptables redirect 80 to 8080 but block public 8080 access
One way I've found to accomplish this is to use the MARK target in the mangle table's PREROUTING chain.
Add a rule to tag the packets you want to block:
iptables -t mangle -A PREROUTING -p tcp --dport 8080 -j MARK --set-mark 1
Then, before you allow port 8080 add this to DROP marked packets:
iptables -A INPUT -m mark --mark 1 -j DROP
I handled this in a slightly different way. I forwarded 443 to 3000 (as above) but also forwarded 3000 to 443. I then allow traffic on 3000 but block it on 443. When filtering the 443 traffic should only be originally from port 3000.
I'm using ufw so the filter rules were entered using that tool. I added the nat rules in /etc/ufw/before.rules
.
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3000
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 3000 -j REDIRECT --to-ports 443