We will use following iptables arguments:
-A | append a rule to the end of chain (a chain is a list of rules which can match a set of packets) |
-P | apply a default policy to a chain (DROP, ACCEPT, QUEUE or RETURN targets) |
-t | specifies a packet matching table (filter is the default table, which contains INPUT, FORWARD and OUTPUT packet chains). You can skip this option. |
-p | protocol of the packets to match (tcp, udp, icmp) |
-i / -o | input and output interfaces (lo for local) |
-j | apply a target (ACCEPT, DROP, QUEUE or RETURN) |
--dport | destination port (http:80, ftp:21 ....) |
If you are running a web server, then you may want to add rules to deny all traffic and to accept communications only on ports commonly used by your web server such as http, dns, mail (smtp, pop, imap), ping (icmp), ssh and NTP (network time protocol).
#Reset all rules (F) and chains (X), necessary if have already defined iptables rules
iptables -t filter -F
iptables -t filter -X
#Start by blocking all traffic, this will allow secured, fine grained filtering
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
#Keep established connexions
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#Allow loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
#HTTP
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
#FTP
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
#SMTP
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
#POP3
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
#IMAP
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
#ICMP
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
#SSH
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 22 -j ACCEPT
#DNS
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
#NTP
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
You can see the manual page of iptables for more information (man iptables) or read the iptables documentation on centos.org wiki.
https://wiki.centos.org/HowTos/Network/IPTables