I have been learning these tricks recently, often the hard way. More than often, I am locked out from accessing the remote server.

I have the following lines in my iptables. I think I need to add some ins and outs, because right now, I am allowing all outbound traffic.

I want to add a line somewhere that makes sure that I have ssh access (local access) even if I screw up things in the following lines.

I am using RHEL 5.6.

(1) What line, and where do I add? Gurus, please help.

(2)
I do not know if I have things that is not necessary and/or things I better have considering security.

I mean, if I have this for ping:
-A myFirewall_Input -p icmp --icmp-type 8 -s <IP> -j ACCEPT
do I need this?
-A myFirewall_Output -p icmp --icmp-type 8 -s <IP> -j ACCEPT

same for the ssh.

(3)I want to define a variable for IP and use that variable throughout. Currently, I am using real numbers for <IP>

I want to define like:
hostIP = "nnn.nnn.nnn.nnn"
and later on, say,
-A myFirewall_Output -p icmp --icmp-type 8 -s $hostIP -j ACCEPT

Question (1) is very important for me-- I don't want to go to the server room everytime I make mistake. (3) is just for convenience, nice to have, but can do w/o. (2) is in between.

Thank you for taking time to read.

1) What is "local" access? you have your "ssh" part already, so you'd just add in the right source network for whatever suits "local" I guess. Actually you might be wanting a separate point of entry here, and so I'd suggest putting this outside of your "MyFirewall" chains, if you put the accept at the top of the INPUT chain then you have a nice logical separation from that and your experiments.

2) Well normally your OUTPUT policy would be a default ACCEPT, so is probably not required because of that.

3) that's not a question.. yes you can do that, it's just bash though, nothing to do with iptables itself.

you're firewall is, as I'm sure you'll appreciate, pretty crude. There's no connection tracking at all, you should really only be allowing NEW connections on these certain services, and from then on all existing connections.

(1) by local, I mean, allow ssh only from withing our LAN.
>I'd suggest putting this outside of your "MyFirewall" chains
yes, that's what I want to do, but
(a) where do I put it? just before :INPUT DROP [0:0]? or even before *filter?
(b) and how do I write it?
iptables -A INPUT -p tcp -s <local lan IP> --dport 22 -j ACCEPT?

(2) yes, I have also read many times, that outgoing defauts to ACCEPT, but our people here want to run a tighter ship, so I will be adding a lot of OUTPUT chains.
(3) since this is not a bash script, then I am out of luck?
(4) connection tracking: do you mean I add "-m state --state NEW" for ping, ssh (access through port 80 already has this string)?

Thank you for comments.

ahh right, ok so literally the line before the INPUT that sends everything to your own chain. That format seems fine, it should be only for state NEW packets though.

I would think that filtering outbound access is generally pointless even in most "tighter ships". Presumably all outbound traffic will hit either a physical firewall or the INPUT on another box. Those are the places to filter.

ah, yeah, not possible there, but you can do things like use other chains to fire certain traffic at, and in them define that IP address minimal times, if that logic holds true.

checking the NEW state is half of it yes, the other half is then to permit ESTABLISHED and RELATED as a first rule in the INPUT chain, to quickly allow all traffic that you've previously allowed to be created.

Added:
-A INPUT -m state --state NEW -p tcp -s <local lan IP> --dport 22 -j ACCEPT
just after * filter. so far so good.

Yes, I do have
-A myFirewall_Input -m state --state ESTABLISHED -j ACCEPT, which I had forgotton to include in the first post.

Thanks again.