The system firewall is based on iptables. Please read about iptables at Netfilter page.
In general your sytem firewall is configured like:
/etc/init.d/iptables status
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all — 0.0.0.0/0 0.0.0.0/0
2 syn_flood tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
3 allow_icmp all — 0.0.0.0/0 0.0.0.0/0
4 syn_protect all — 0.0.0.0/0 0.0.0.0/0
5 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 state NEW
7 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEWChain FORWARD (policy DROP)
num target prot opt source destination
1 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHEDChain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all — 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHEDChain allow_icmp (1 references)
num target prot opt source destination
1 ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 8Chain syn_flood (1 references)
num target prot opt source destination
1 RETURN all — 0.0.0.0/0 0.0.0.0/0 limit: avg 16/sec burst 32
2 DROP all — 0.0.0.0/0 0.0.0.0/0Chain syn_protect (1 references)
num target prot opt source destination
1 DROP tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
To allow access to HTTP (port 80/tcp) from any run:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m state --state NEW |
The same for HTTPS (port 443/tcp):
iptables -A INPUT -p tcp --dport 443 -j ACCEPT -m state --state NEW |
To allow your service(s) access to HTTP (port 80/tcp) at 1.1.1.1 run:
iptables -A OUTPUT -p tcp --dport 80 -d 1.1.1.1 -j ACCEPT -m state --state NEW |
To block all outgoing ESTABLISHED,RELATED requests run:
iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED |
To store rules run:
service iptables save |
To check/show the status:
/etc/init.d/iptables status |