Типичная настройка iptables для WEB сервера
/etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Fri Nov 6 16:04:45 2015
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:fail2ban-MAIL — [0:0]
:fail2ban-SSH — [0:0]
:WEB — [0:0]
-A INPUT -p tcp -m multiport —dports 25,465,587,2525,110,995,143,993 -j fail2ban-MAIL
-A INPUT -p tcp -m tcp —dport 22 -j fail2ban-SSH
-A INPUT -p tcp -m tcp —dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp —dport 22 -j ACCEPT
-A INPUT -p tcp -m multiport —dports 80,443 -j ACCEPT
-A INPUT -p tcp -m tcp —dport 21 -m conntrack —ctstate NEW -j ACCEPT
-A INPUT -p udp -m udp —dport 53 -j ACCEPT
-A INPUT -p tcp -m multiport —dports 25,465,587,2525 -j ACCEPT
-A INPUT -p tcp -m multiport —dports 110,995 -j ACCEPT
-A INPUT -p tcp -m multiport —dports 143,993 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m tcp —sport 20 -j ACCEPT
-A INPUT -p tcp -m tcp —sport 21 -j ACCEPT
-A INPUT -p tcp -m tcp —sport 22 -j ACCEPT
-A INPUT -p tcp -m tcp —sport 25 -j ACCEPT
-A INPUT -p udp -m udp —sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp —sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp —sport 443 -j ACCEPT
-A INPUT -p tcp -m tcp —sport 110 -j ACCEPT
-A INPUT -p udp -m udp —sport 123 -j ACCEPT
-A INPUT -p tcp -m tcp —sport 143 -j ACCEPT
-A INPUT -p tcp -m tcp —sport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp —sport 8080 -j ACCEPT
-A INPUT -p tcp -m state —state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j REJECT —reject-with icmp-host-prohibited
-A fail2ban-MAIL -j RETURN
-A fail2ban-SSH -j RETURN
-A fail2ban-WEB -j RETURN
COMMIT
# Completed on Fri Nov 6 16:04:45 2015