I need to close all theports accept ...

port 80,9090,22041 22031 in redhat 7.1
show me in detail as I am moving my linux into co-location.

thanks!

Why don't you just once read some docs?

iptables HOWTO

It's so much easier to be spoon fed...

//NoXcuz

i found something like this. can u tell me if this is suitable in co-location environment ? there will be no internal net and just a router from data center, ONE IP and ONE gateway.


#! /bin/sh
#
# Minimal ipchains startup rules for a Linux 2.2.x based firewall.
# (c)2000 Manfred Bartz <md-linux@logi.cc>
# This file is subject to the GPL <http://www.gnu.org/copyleft/gpl.html>
#
# Use numeric IP addresses here. Most systems cannot do DNS lookups
# at the time the firewall is initialised.
#
# Absolutely no responsibility for *anything* accepted,
# use at your own risk.
# Nonetheless, these rules provide a starting point and should allow
# basic internet access for all systems on your LAN while also
# providing basic security.
# For single PCs (no LAN) leave out the ``forward'' stuff.
#
# Assumptions:
# Local network is 192.168.1.0/24
# Local interface is eth0
# Internet interface is eth1 (yours may be ppp0, etc...)
#
# Read your logs if something doesn't work

#= startup
=========================
===============

# setting a policy of DENY before flushing the chains should make the
firewall
# fail in a safe way if something goes wrong further down in this
script.

ipchains -P input DENY
ipchains -F input

ipchains -P forward DENY
ipchains -F forward

# this assumes we trust internal users:
ipchains -P output ACCEPT
ipchains -F output


#= input
=========================
=================

# Turn on Source Address Verification so our network cannot be
# used for IP address spoofing
for f in /proc/sys/net/ipv4/conf/*/rp filter; do echo 1 > $f; done

#- local ------------------------------------------
# Private LAN is trusted (is this acceptable for your site?)
ipchains -A input -i eth0 -j ACCEPT

# loopback: all packets with src and dst matching appear here,
# not just the ones addressed to 127.0.0.1.
ipchains -A input -i lo -j ACCEPT


#- Internet ---------------------------------------
# accept DHCP
ipchains -A input -i eth1 -p udp -s 0/0 67 -d 0/0 68 -j ACCEPT

# The order in which rules are added to a chain is very important!
# The most specific rules come first, the most general rule (catchall)
# goes last. Incorrect order can lead to disaster!

## Here you can add rules to allow specific IP addresses or subnets to
## connect to your gateway. E.g. I run sshd on my home PC and want to
## be able to log in from my office at work:
##
## Allow mywork.com (123.123.123.123) into sshd
## log initial connect:
#ipchains -A input -i eth1 -p tcp -s 123.123.123.123 -d 0/0 22 --syn
-j ACCEPT --log
## don't log remaining traffic for that connection
#ipchains -A input -i eth1 -p tcp -s 123.123.123.123 -d 0/0 22 ! --syn
-j ACCEPT

# block access to NFS specifically (if you have it), do the same
# with any other services using ports above 1023 (e.g. X11).
# Check with: netstat -tupan
ipchains -A input -i eth1 -p udp -d 0/0 2049 -j DENY --log
ipchains -A input -i eth1 -p tcp -d 0/0 2049 -j DENY --log

# block access to X11 specifically (if you have it). See above.
ipchains -A input -i eth1 -p udp -d 0/0 6000:6063 -j DENY --log
ipchains -A input -i eth1 -p tcp -d 0/0 6000:6063 -j DENY --log

# block ALL access to privileged ports (below 1024)
ipchains -A input -i eth1 -p tcp -d 0/0 0:1023 -j DENY --log
ipchains -A input -i eth1 -p udp -d 0/0 0:1023 -j DENY --log

# The privileged ports (<1024) are now blocked

# Allow all TCP except incoming connections (no packets w
SYN=1,ACK=0).
# Blocking incoming connections causes problems only with ftp in active
# mode, so use it in passive mode, that is much safer.
ipchains -A input -i eth1 -p tcp -d 0/0 1024:65535 ! --syn -j ACCEPT

# Accept DNS. This rule is not necessary if you enable all UDP above
# port 1023 (see below). Also, filtering on a remote port is next to
# useless because you don't control it. If you know your ISP's
nameserver
# address, put that after the ``-s'' instead of the ``0/0''.
# If you have multiple nameservers have a rule for each one.
ipchains -A input -i eth1 -p udp -s 0/0 53 -d 0/0 1024:65535 -j ACCEPT

# Allow all UDP above 1023 but make doubly sure that you don't have
# unprotected UDP servers in this port range.
# If this is uncommented, then you don't need the DNS rule above.
ipchains -A input -i eth1 -p udp --dport 1024:65535 -j ACCEPT

# ICMP, Internet interface only:
# This is needed for error conditions and Path-MTU discovery:
for t in echo-reply \
destination-unreachable \
time-exceeded \
parameter-problem
do
ipchains -A input -i eth1 -p icmp --icmp-type $t -j ACCEPT
done

# ICMP, all other interfaces:
ipchains -A input -i ! eth1 -p icmp -j ACCEPT

# The input default policy blocks everything that doesn't match any
# rule, but it doesn't give us log messages. That is why we use a
# catch-all so we can see what is going on:
ipchains -A input -j DENY --log


#= output
=========================
================

#- Internet ---------------------------------------
# Our private network addresses should never appear on the Internet
ipchains -A output -i eth1 -d 192.168.0.0/16 -j REJECT


#= forward
=========================
===============
# you can load kernel modules for masquerading here if necessary,
# for example:
#modprobe ip masq irc

# turn on forwarding (better to use sysctl, refer to man sysctl)
echo 1 > /proc/sys/net/ipv4/ip forward

# only masquarade if its from us and goes out to the Internet
ipchains -A forward -i eth1 -s 192.168.1.0/24 -j MASQ

# The forward default policy blocks everything that doesn't match any
# rule, but it doesn't give us log messages. That is why we use a
# catch-all rule so we can see what is going on:
ipchains -A forward -j REJECT --log



After testing the system at scan.sygatetech.com on their very good
scanner, it seems that this
is either not working, or i'm missing something.