In addition to what sag47 wrote in his web log post about using 'iptables-restore' note you can also easily test a temporary rule set and revert back to a state after a period of time.
First make a backup before making changes to the current rule set:
Code:
umask 0027
iptables-save > /etc/sysconfig/iptables.backup
Now modify your rule set and before you reload it execute this:
Code:
echo "/sbin/iptables-restore < /etc/sysconfig/iptables.backup"|/usr/bin/at now + 5 minutes
which will restore your previously saved rule set in 5 minutes.
*On the subject of testing: the easiest way to test a rule set is to watch counters and intersperse your rule set with "-j LOG" rules before any jumps. That way you can see what hits the filter (or not).
As for the "best practices" I agree: apart from iptables-sepcific best practices (see
frozentux) a firewall comprises of more than "plain" blocking ports (source and state filters, rate limiting, ipset buckets to name a few) and therefore should be based on not only what services a machine provides but more than that on what your hardening regime dictates in terms of network policies, access restrictions, auditing rules, etc, etc.
**More detailed questions are welcome, but note that would start with you posting more detailed information.