Yes, iptables does play a role.
With iptables, you usually begin with two things
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -j DROP
First rule says accept (don't drop) all connections that have been established and their related connections (--state RELATED, ESTABLISHED). This is so your ssh connections doesn't get cut off while you are still setting things up.
Second rule says, everything else that tries to come in, drop (don't allow).
Next you insert rules at the top for all the things you do want to let through. IP table rules are quite flexible, you can allow or drop connections based on state, protocol, interface, ip etc.
On a web server and a machine you control remotely you probably need to at least HTTP (80), HTTPS (443) and SSH (22). You should bind SSH to the IP you are connecting to for added safety.
-I INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-I INPUT -p tcp -m tcp --dport 443 -j ACCEPT
Now for your case, you also have apache listening on 8090, so you need to open that up, BUT, you only what to listen to it when the source is the loopback address.
-I INPUT -s 127.0.0.1 --dport 8090 -j ACCEPT
So in the end your whole IP tables config script would look something like this (though you will have to add rules for things like SMTP if you handle your own mail etc).
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 127.0.0.1 --dport 8090 -j ACCEPT
-A INPUT -j DROP
-A adds the rule to the bottom, -I inserts it at the top if I recall correctly, rules are evaluated from top to bottom, if a connection matches a rule, it does what it was told (ACCEPT, DROP or others), otherwise it continues to the bottom. If it does not match anything, the connection is accepted (thats why it's important to have the catch all DROP at the bottom: everything is prohibited except for what is explicitly allowed ).
Hope that was clear.
Daniel.