[HV-Adam]

Below is a 'template' firewall for a single server HSphere installNotes:192.168.1.1 is the example base IP address of the server, You need to change this192.168.1.2 is *your* IP address. You *must* change this otherwise you'll lock yourself out of the server.This example would be saved to file /etc/sysconfig/iptablesYou need to load the ip_conntrack_ftp module into the kernel when iptables is started. You add this module name in /etc/rc.d/init.d/iptablesChange;IPTABLES_MODULES=""To;IPTABLES_MODU LES="ip_conntrack_ftp"############################ ###################### #####*filter:FORWARD ACCEPT [0:0]:INPUT DROP [0:0]:OUTPUT ACCEPT [0:0]:BLOCK_NET - [0:0]# Handle Passive FTP (remember to enable ip_conntrack_ftp module)-A OUTPUT -p tcp -m tcp -m state --dport 1024:65535 --sport 1024:65535 --state RELATED,ESTABLISHED -j ACCEPT# Server Base IP address-A INPUT -s 192.168.1.1 -j ACCEPT-A INPUT -i lo -j ACCEPT# Management IPs (VERY IMPORTANT TO PUT YOUR IP HERE otherwise you'll be locked out)-A INPUT -s 192.168.1.2 -j ACCEPT# End Management IPs# Run Block bad networks chain-A INPUT -j BLOCK_NET# Handle Passive FTP (remember to enable ip_conntrack_ftp module in the iptables init script)A INPUT -p tcp -m tcp -m state --dport 1024:65535 --sport 1024:65535 --state ESTABLISHED -j ACCEPT-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT-A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT-A INPUT -p udp -m udp --dport 53 -j ACCEPT-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT-A INPUT -p tcp -m tcp --dport 113 -j DROP-A INPUT -p tcp -m tcp --dport 135 -j DROP-A INPUT -p tcp -m tcp --dport 136 -j DROP-A INPUT -p tcp -m tcp --dport 137 -j DROP-A INPUT -p tcp -m tcp --dport 138 -j DROP-A INPUT -p tcp -m tcp --dport 139 -j DROP-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT-A INPUT -p tcp -m tcp --dport 445 -j DROP-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT-A INPUT -p tcp -m tcp --dport 593 -j DROP-A INPUT -p tcp -m tcp --dport 777 -j DROP-A INPUT -p tcp -m tcp --dport 778 -j DROP-A INPUT -p tcp -m tcp --dport 837 -j ACCEPT-A INPUT -p tcp -m tcp --dport 1025 -j DROP-A INPUT -p tcp -m tcp --dport 1080 -j DROP-A INPUT -p tcp -m tcp --dport 1434 -j DROP-A INPUT -p tcp -m tcp --dport 1433 -j DROP-A INPUT -p tcp -m tcp --dport 3128 -j DROP-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT-A INPUT -p tcp -m tcp --dport 4321 -j ACCEPT-A INPUT -p tcp -m tcp --dport 4444 -j DROP-A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT-A INPUT -p tcp -m tcp --dport 6667 -j DROP-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT-A INPUT -p udp -m udp --dport 137:138 --sport 137:138 -j DROP# Logging to /var/log/messages-A INPUT -p tcp -m tcp -j LOG --log-prefix "AUDIT TCP "-A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset-A INPUT -p udp -m udp -j LOG --log-prefix "AUDIT UDP "-A INPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable-A INPUT -p icmp -m icmp --icmp-type 8 -j LOG# mangle section*mangle*REROUTING ACCEPT [1591876424:227299011220]:INPUT ACCEPT [1591816598:227294667655]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [1765890237:977040975279]:POSTROUTING ACCEPT [1765890154:977040909847]COMMIT# NAT section*nat*PREROUTING ACCEPT [10032111:558215684]*:POSTROUTING ACCEPT [5152283:290989829]*:OUTPUT ACCEPT [3923347:241838349]COMMIT############################################ ###### #####