Host based protection with iptables and rc.firewall. Place this script in /etc/rc.d/rc.firewall and execute it from /etc/rc.d/rc.local. chmod the file to 500. ---------start-------- #!/bin/bash # IPTABLES Firewall for host # Make sure iptables is running cleanly /sbin/service iptables stop rm /etc/sysconfig/iptables /sbin/service iptables start # Conntrack modules /sbin/insmod ip_conntrack_ftp # Binary Location (-v creates verbose output) IPT="/sbin/iptables -v" # IPs and Networks LO="127.0.0.1/32"; ANY="0.0.0.0/0.0.0.0"; # Default Policy $IPT -P INPUT DROP $IPT -P OUTPUT ACCEPT # You can choose to restrict outbound extensively $IPT -P FORWARD DROP # Flush old rules $IPT -F $IPT -X # Log entry and deny connections $IPT -N logging $IPT -A logging -j LOG --log-level info --log-prefix Firewall: $IPT -A logging -j DROP # Manage state connections $IPT -N instate $IPT -A instate -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT $IPT -A instate -m state --state INVALID -j logging $IPT -A instate -j logging # Manage state connections $IPT -N dpstate $IPT -A dpstate -m state --state RELATED,ESTABLISHED -j ACCEPT $IPT -A dpstate -m state --state INVALID -j logging $IPT -A dpstate -j logging # Localhost : Allowed $IPT -A INPUT -i lo -j ACCEPT # FTP : Allowed #$IPT -A INPUT -p tcp --dport 20:21 -j instate # Ident : Be polite but don't allow it $IPT -A INPUT -p tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable # Netbios : Drop quietly $IPT -A INPUT -p tcp --dport 135:139 -j DROP $IPT -A INPUT -p udp --dport 135:139 -j DROP # SSH : Allowed from anywhere $IPT -A INPUT -p tcp --dport 22 -j instate # Web : Allowed from anywhere #$IPT -A INPUT -p tcp --dport 80 -j instate # Syslog : Allowed from the 10. network #$IPT -A INPUT -p udp --dport 514 -s 10.0.0.0/24 -j instate # Mail : Allowed $IPT -A INPUT -p tcp --dport 25 -j instate # smtp $IPT -A INPUT -p tcp --dport 465 -j instate # secure smtp $IPT -A INPUT -p tcp --dport 110 -j instate # pop3 $IPT -A INPUT -p tcp --dport 995 -j instate # pop3s # Handle everything else $IPT -A INPUT -j dpstate # If I didn't list it, drop it inbound $IPT -A OUTPUT -j instate # If I didn't list it, allow normal outbound # Apply /sbin/iptables-save -c > /etc/sysconfig/iptables /sbin/service iptables restart ---------stop--------