I've included a simple firewall script below. However, you should also consider the option of restricting ip-addresses to specific services in the /etc/xinetd.d/ directory.
For more info on iptables, Oskar Andreasson has write excellent documentation on the use of iptables along with examples.
http://www.linuxsecurity.com/resourc...-tutorial.html
#!/bin/sh
# This is the location of the iptables command
IPTABLES="/sbin/iptables"
#
. /etc/rc.d/init.d/functions
case "$1" in
stop)
action "Shutting down firewall:" echo
$IPTABLES -F
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
;;
status)
echo "Status is not supported for firewall"
;;
restart|reload)
$0 stop
$0 start
;;
start)
action "Starting Firewall:" echo
################################################################
#Insert modules- should be done automatically if needed
dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
dmesg -n 6
#
## Flush everything, start from scratch
#
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
# originally tcp_syncookies and ip_dynaddr were 1
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# You can change this value quite a bit. It's the range of user ports.
echo "55000 65000" >/proc/sys/net/ipv4/ip_local_port_range
#---------- Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
#---------- iptables defaults to these if no matches are found below.
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
##--------- Set basic rules
#----------- Above list ripped from
http://www.linux-mag.com/2000-01/bestdefense_02.html
$IPTABLES -A INPUT -m unclean -j DROP
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m unclean -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # allow replies coming in
#----------------------------------------------------------------------
# This is where you would start customizing your permissions.
#----------------------------------------------------------------------
# Disallow TELNET and log the attempt.
$IPTABLES -A INPUT -p tcp --dport 23 -j LOG --log-prefix "__TELNET__"
$IPTABLES -A INPUT -p tcp --dport 23 -j DROP
# Allow SSH for all ip addresses
# $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow SSH for a specific ip address
# $IPTABLES -A INPUT -p tcp -s 10.50.1.99/32 --dport 22 -j ACCEPT
# I'm sure you can through ranges in there too.
#NON REDHAT SYSTEMS, COMMENT/REMOVE ALL BELOW
;;
*)
echo "Useage: firewall (start|stop|restart)"
exit 1
esac
exit 0