A couple of days ago I discovered how easy iptables is to use.
What a relief.
I can now have an internet facing machine with full control over the services it shows publically.
All that is required is a command like:
iptables -A INPUT -p tcp --dport 8080 -i eth0 -j DROP
and all requests to port 8080 from the outside will be dropped.
All requests from localhost will use the lo adapter, and will thus still be accepted. This is something I should have known long ago!