diff --git a/CHANGELOG.md b/CHANGELOG.md
index a9880b72..2bcd96a0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,5 @@
+* Add iptables rules to block requests to the supervisor API from all interfaces except vpn, docker and local [Pablo]
+
 # v1.13.2
 
 * bootstrap: if offlineMode is enabled, persist only the uuid [petrosagg]
diff --git a/Dockerfile.amd64 b/Dockerfile.amd64
index 49d7fb4f..f226c9a8 100644
--- a/Dockerfile.amd64
+++ b/Dockerfile.amd64
@@ -11,6 +11,7 @@ RUN apt-get -q update \
 		btrfs-tools \
 		ca-certificates \
 		curl \
+		iptables \
 		rsync \
 		supervisor \
 		--no-install-recommends \
diff --git a/Dockerfile.armel b/Dockerfile.armel
index 0d69a396..a21506ce 100644
--- a/Dockerfile.armel
+++ b/Dockerfile.armel
@@ -11,6 +11,7 @@ RUN apt-get -q update \
 		btrfs-tools \
 		ca-certificates \
 		curl \
+		iptables \
 		rsync \
 		supervisor \
 		--no-install-recommends \
diff --git a/Dockerfile.armv7hf b/Dockerfile.armv7hf
index eefef8a0..22e0b744 100644
--- a/Dockerfile.armv7hf
+++ b/Dockerfile.armv7hf
@@ -11,6 +11,7 @@ RUN apt-get -q update \
 		btrfs-tools \
 		ca-certificates \
 		curl \
+		iptables \
 		rsync \
 		supervisor \
 		--no-install-recommends \
diff --git a/Dockerfile.i386 b/Dockerfile.i386
index 3e6ec066..44cf1f5c 100644
--- a/Dockerfile.i386
+++ b/Dockerfile.i386
@@ -11,6 +11,7 @@ RUN apt-get -q update \
 		btrfs-tools \
 		ca-certificates \
 		curl \
+		iptables \
 		rsync \
 		supervisor \
 		--no-install-recommends \
diff --git a/Dockerfile.rpi b/Dockerfile.rpi
index b60a0ba3..8d61353b 100644
--- a/Dockerfile.rpi
+++ b/Dockerfile.rpi
@@ -11,6 +11,7 @@ RUN apt-get -q update \
 		btrfs-tools \
 		ca-certificates \
 		curl \
+		iptables \
 		rsync \
 		supervisor \
 		--no-install-recommends \
diff --git a/src/app.coffee b/src/app.coffee
index bd8a1031..8bd6a8fb 100644
--- a/src/app.coffee
+++ b/src/app.coffee
@@ -24,8 +24,10 @@ knex.init.then ->
 		device = require './device'
 
 		console.log('Starting API server..')
-		apiServer = api(application).listen(config.listenPort)
-		apiServer.timeout = config.apiTimeout
+		utils.createIpTablesRules()
+		.then ->
+			apiServer = api(application).listen(config.listenPort)
+			apiServer.timeout = config.apiTimeout
 
 		bootstrap.done
 		.then ->
diff --git a/src/utils.coffee b/src/utils.coffee
index 8b614287..2c0512b7 100644
--- a/src/utils.coffee
+++ b/src/utils.coffee
@@ -11,6 +11,7 @@ randomHexString = require './lib/random-hex-string'
 request = Promise.promisifyAll require 'request'
 logger = require './lib/logger'
 TypedError = require 'typed-error'
+execAsync = Promise.promisify(require('child_process').exec)
 
 # Parses package.json and returns resin-supervisor's version
 version = require('../package.json').version
@@ -279,3 +280,15 @@ exports.validateKeys = (options, validSet) ->
 		return if !options?
 		invalidKeys = _.keys(_.omit(options, validSet))
 		throw new Error("Using #{invalidKeys.join(', ')} is not allowed.") if !_.isEmpty(invalidKeys)
+
+checkAndAddIptablesRule = (rule) ->
+	execAsync("iptables -C #{rule}")
+	.catch ->
+		execAsync("iptables -A #{rule}")
+
+exports.createIpTablesRules = ->
+	allowedInterfaces = ['tun0', 'docker0', 'lo']
+	Promise.each allowedInterfaces, (iface) ->
+		checkAndAddIptablesRule("INPUT -p tcp --dport #{config.listenPort} -i #{iface} -j ACCEPT")
+	.then ->
+		checkAndAddIptablesRule("INPUT -p tcp --dport #{config.listenPort} -j REJECT")