What is RH-Firewall?
It's a 'user-defined" chain used by Redhat's firewall. The default INPUT and I believe OUPUT chains are dumped into the RH-FIREWALL chain where the various filtering rules are found.
Also, if have a mostly closed firewall, how can you only allow ssh? I've found one method that works but it's a bit long winded:
iptables -A INPUT -i eth0 -p TCP --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p TCP --sport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p TCP --sport 1024:65535 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p TCP --dport 1024:65535 -j ACCEPT
I'm not a big fan of trying to do it that way. I like to take advantage of the state tracking capability of iptables and use a rule that allows packets that are ESTABLISHED,RELATED which will allow all the reply traffic without having to blindly allow huge portions of the ephemeral port range (1024:65535). To keep the firewall strict, you only allow packets that match the NEW state for only the ports that you want (like ssh). With the firewall configured in that way, you will be allowing *all* reply traffic, but you can only reply to something that makes it through the rules allowing NEW connections. To tighten even further, you can use the ESTABLISHED,RELATED match on a port by port basis like:
iptables -A OUTPUT -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT
instead of just using:
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT