TCP Port 8080: CLI Reference, Examples, and Troubleshooting

tcp port 8080 is the standard alternate HTTP port (IANA registered for web proxies and application servers) commonly assigned to Tomcat, Jenkins, and development web servers when port 80 is blocked or reserved.

# Open port 8080 in iptables (immediate, non-persistent)
sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

On Linux, opening port 8080 requires configuration at three layers: the application must bind to the port, firewall rules (iptables/ufw/firewalld) must permit inbound traffic, and SELinux/AppArmor policies may need adjustment. A typical use case is a private API endpoint behind a reverse proxy listening on 8080 internally. Commands below are tested on Ubuntu 22.04 with iptables v1.8.7 and UFW 0.36.1.

Table of Contents

Syntax Reference

# Open port 8080 with UFW (persistent)
sudo ufw allow 8080/tcp

# Open port 8080 with firewalld (RHEL/CentOS 7+)
sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent
sudo firewall-cmd --reload

# List port 8080 listeners
sudo ss -tlnp | grep :8080
sudo netstat -tanpu | grep :8080

# Test connectivity to port 8080
nc -zv 192.168.1.100 8080
curl -v http://192.168.1.100:8080

Rapid Reference Cheat Sheet

Action	CLI Command	Provider/Context	Key Flag	Impact/Result
Open port (iptables)	`sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT`	Legacy Linux	`--dport`	Allows inbound TCP 8080
Open port (UFW)	`sudo ufw allow 8080/tcp`	Ubuntu/Debian	`allow`	Adds persistent rule
Open port (firewalld)	`sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent`	RHEL/CentOS/Fedora	`--add-port`	Adds permanent rule
List listeners	`sudo ss -tlnp \| grep :8080`	All Linux (modern)	`-tlnp`	Shows PID/program using port
Connectivity test	`nc -zv target 8080`	All Linux	`-zv`	Reports port status
Delete iptables rule	`sudo iptables -D INPUT -p tcp --dport 8080 -j ACCEPT`	Legacy Linux	`-D`	Removes inline rule
Persist iptables	`sudo iptables-save > /etc/iptables/rules.v4`	Debian/Ubuntu	N/A	Saves rules to file

Advanced Implementation

When adding iptables rules for port 8080, the -p tcp flag restricts to TCP only; omitting it also applies to UDP. The --dport argument can take a port range (e.g., --dport 8080:8090). Combine with -m state --state NEW to only allow new connections:

sudo iptables -A INPUT -p tcp --dport 8080 -m state --state NEW -j ACCEPT

For redundancy, the rule should be inserted early in the INPUT chain. Use -I INPUT 1 to place it at the top. IPv6 requires a parallel rule with ip6tables:

sudo ip6tables -A INPUT -p tcp --dport 8080 -j ACCEPT

On systems with firewalld, parameters like --zone define the network zone. --add-rich-rule allows specifying source addresses:

sudo firewall-cmd --zone=internal --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" port port="8080" protocol="tcp" accept' --permanent

Application listeners binding to port 8080 must be configured to listen on the correct interface. By default, most servers (Tomcat, Node.js) bind to 0.0.0.0:8080 or 127.0.0.1:8080. To accept external traffic, ensure it is not restricted to loopback. Check with:

sudo ss -tlnp | awk '/:8080/ {print $4}'

If the address is 127.0.0.1:8080, the application is only reachable locally; change the server configuration to 0.0.0.0 or the specific external IP.

Error Resolution & Troubleshooting

Error Code/Signal	Root Cause	Remediation Command
`Connection refused`	No application listening on port 8080, or firewall drops traffic before reaching the application.	`sudo ss -tlnp \| grep :8080 sudo iptables -L INPUT -v -n \| grep 8080`
`Address already in use`	Previous process (often Tomcat) still bound to port 8080.	`sudo fuser -k 8080/tcp` followed by restart
`TIME_WAIT` in netstat	Normal TCP state after connection close; not an error.	No remediation needed; `sysctl net.ipv4.tcp_tw_reuse=1` reduces wait if many connections
`Permission denied`	Non-root user binding to port 8080 over a privileged port? 8080 is not privileged, but SELinux may block.	`sudo setsebool -P httpd_can_network_connect 1` (for Apache contexts) or `ausearch -m avc -ts recent \| grep 8080`
`Connection timed out`	Firewall or network route not passing traffic to the server.	`traceroute -T -p 8080 TARGET` and `sudo iptables -nL` to verify rules
`Firewall rules not persistent after reboot`	iptables rules not saved to a persistent file.	`sudo iptables-save \| sudo tee /etc/iptables/rules.v4` (Debian/Ubuntu) or `sudo service iptables save` (RHEL 6)

For a deep investigation pipeline:

# 1. Check listening process
sudo lsof -i :8080
# 2. Check firewall rules
sudo iptables -L -v -n | grep 8080
# 3. Verify with netcat from localhost
nc -zv localhost 8080
# 4. Check SELinux denials (if enabled)
sudo sealert -a /var/log/audit/audit.log | grep 8080
# 5. Monitor incoming packets
sudo tcpdump -i any port 8080 -c 10

Production-Grade Implementation

Least privilege: Use iptables rules that specify source IP ranges, e.g., -s 10.0.0.0/8, to restrict 8080 to internal networks. Avoid 0.0.0.0/0 unless proxied by a reverse proxy on port 443.
Persistence: On Debian/Ubuntu, enable iptables-persistent (sudo apt install iptables-persistent). On RHEL, use firewalld with --permanent flag.
Monitoring: Integrate port 8080 checks into Prometheus with blackbox_exporter module tcp_connect targeting server:8080. Alert on 5-second timeout.
Load balancing: When port 8080 is used behind a load balancer, set proxy_protocol or X-Forwarded-For headers. Avoid exposing raw 8080 to the internet.
Automation: Use Ansible firewalld module or Terraform null_resource with provisioner "remote-exec" to manage iptables rules via iptables -A. For cloud instances, use security groups instead of iptables.
To minimize latency: Set net.core.rmem_default and wmem_default (e.g., 262144) and enable TCP fast open (net.ipv4.tcp_fastopen=3) on the host.

Frequently Asked Questions

What is the difference between `ss -tlnp | grep :8080` and `lsof -i :8080` for finding processes on port 8080?

Answer: ss queries the kernel directly for socket stats, making it faster than lsof, which lists all open files and provides more detail but incurs higher overhead. On production systems, prefer ss for performance.

# Fast check
ss -tlnp | grep :8080

# Detailed view (may require root)
lsof -i :8080

When should I use `fuser 8080/tcp` instead of `netstat -tulpn | grep :8080`?

Answer: Use fuser for quick PID retrieval and termination; use netstat for comprehensive protocol-level details. fuser 8080/tcp returns the PID directly, allowing immediate action like fuser -k 8080/tcp. netstat (or ss) gives protocol, state, and queue sizes.

# Get PID only
fuser 8080/tcp

# Kill process
fuser -k 8080/tcp

How do I fix the error “Error: listen tcp :8080: bind: address already in use”?

Answer: Identify and terminate the process occupying port 8080 using lsof -i :8080 or fuser 8080/tcp, then restart your service. If the port remains occupied, check for hidden services or use sudo.

# Find and kill the process
lsof -i :8080 -t | xargs kill -9

# Or using fuser
sudo fuser -k 8080/tcp

Does the `ss -tlnp` command work uniformly across all Linux distributions and cloud instances?

Answer: Yes, ss is available in the default repositories of all major Linux distros and works identically across any cloud VM (AWS, Azure, GCP). The iproute2 package is pre-installed on modern distributions.

# Verify ss availability
ss --version

# Check port 8080 on any Linux-based cloud instance
sudo ss -tlnp | grep :8080

What is the fastest way to confirm if TCP port 8080 is open and reachable from a remote host using a single command?

Answer: nc -zv <target> 8080 (Netcat) performs a TCP handshake and reports success/failure immediately. The -z flag scans without sending data; -v provides verbose output. For scripts, combine with -w 2 for a 2-second timeout.

# Quick one-liner
nc -zv example.com 8080

# With timeout
nc -zv -w 2 10.0.0.1 8080

Thomas Heinrich

Command Line Expert & Software Engineer

Welcome! I’m Thomas Heinrich, a software engineer and system administrator with a deep passion for the Command Line Interface (CLI). With years of experience navigating the terminal, building backend architectures, and automating server deployments, I created this space to share practical, real-world terminal knowledge.

Whether you are a beginner taking your first steps in a Linux environment or a seasoned DevOps engineer looking to optimize your deployment scripts, you will find actionable solutions here. My goal is to help you ditch the mouse, speed up your workflow, and harness the full power of the command line.