Thanks, Stuart. Your additional explanation was very helpful. Here's what I have updated the script to with your feedback. Do I have the order right?
(Note that I have commented out the restorecon line as I am not running SELinux.) #!/bin/sh # drop all incoming traffic /sbin/iptables -P INPUT DROP # drop all forwarded traffic /sbin/iptables -P FORWARD DROP # allow all outgoing traffic /sbin/iptables -P OUTPUT ACCEPT # allow returning packets /sbin/iptables -A INPUT -i lo -j ACCEPT # limit ping /sbin/iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/sec --limit-burst 5 -j ACCEPT # specifically allow all ICMP packets through /sbin/iptables -A INPUT -p icmp -j ACCEPT # allow incoming traffic on port 80 for web server /sbin/iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT # allow incoming traffic on port 25 for mail server /sbin/iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT # allow incoming SSH on port xxxx /sbin/iptables -A INPUT -p tcp -m tcp --dport xxxx -j ACCEPT # write out the contents /sbin/iptables-save > /etc/sysconfig/iptables # confirm permissions chmod u=rw,go= /etc/sysconfig/iptables # restore file(s) default SELinux security contexts (if useing SELinux) #restorecon /etc/sysconfig/iptables # restart iptables /sbin/sudo service iptables restart /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
