RHCSA7 Notes

RHCSA7 Study Notes
These are just some notes I jotted down the last time I was studying for the Red Hat Certified 
System Administrator (RHCSA) VERSION 7 certification. These notes were made BEFORE I took the test 
and are NOT a "brain dump" of any kind. If you want to use these, be aware that I do not 
guarantee these notes in any way, so use them at your own risk.

What I decided to do was to copy the exam objectives from the Red Hat site, and add to each
one a "battle plan" of how I intended to attack that particular objective. Then I practiced a lot
on a machine at home, until I was able to complete everything in under two hours. Pretty easy
stuff. Just keep in mind that every single little thing you do on the exam awards points, and the more points you get, the more likely you are to pass. So even if you don't complete a task, do every part of it that you can and collect the points. 

System Configuration and Management

Route IP traffic and create static routes

At the command-line, use something like this example:

route add -net netmask gw eth0
route add -net netmask eth0 

Test it. If it works, then make it persistant!
For persistent changes edit /etc/sysconfig/network-scripts/route-device:

echo " via dev eth0" >> /etc/sysconfig/network-scripts/route-eth0
echo " dev eth0" >> /etc/sysconfig/network-scripts/route-eth0

You can activate the routes with the following command:

/etc/sysconfig/network-scripts/ifup-routes eth0

Review with:   netstat -rn

Use iptables to implement packet filtering and configure network address translation (NAT)

Install and use "system-config-network-tui" to create the basic "/etc/sysconfig/iptables" file, then edit the file with vi.


man iptables 

iptables -I INPUT -s -p tcp --dport 22 -j ACCEPT

-I         insert (Can include a rule number, for example "-I 4" which means "insert as 4th rule")
-A         append
-D         delete     (include rule number)
-m         Specify a module to use (ex: Use "-m multiport" to specify multiple ports)
-s         source
-d         destination
--dport    destination port
--sport    source port
-j         jump to target (ACCEPT, DENY, DROP)

The last rule should be (to reject all others):
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited

Block a host:
iptables -I INPUT -p tcp --dport 80 -s -j REJECT

Block a subnet:
iptables -I INPUT -p tcp -s -j REJECT

Accept reply packets:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Accept anything on the loopback interface:
iptables -i lo -j ACCEPT


Allow the gateway to forward IP packets by modifying /etc/sysctl.conf

     net.ipv4.ip_forward = 0 
     net.ipv4.ip_forward = 1
Then execute:     sysctl -p


iptables -t nat -I POSTROUTING -o eth1 -j MASQUERADE
iptables -I FORWARD -i eth1 -o eth1 -j ACCEPT -m comment --comment "accept everything on the way out"

iptables -I FORWARD -o eth1 -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -m comment --comment "accept related or established on the way back"


Forward all incomming tcp traffic on port 8800 to port 80:

iptables -t nat -I PREROUTING -p tcp --dport 8800 -j DNAT -to

Use /proc/sys and sysctl to modify and set kernel run-time parameters

List: sysctl -a | grep key

Configure /etc/sysctl.conf, add the values you want, save the file,
then apply the configuration with:
  sysctl –p

To change a setting temporarily:
 sysctl net.ipv4.ip_forward=1
 echo 1 > /proc/sys/net/ipv4/ip_forward

Configure system to authenticate using Kerberos

Use the GUI:  
  1. Connect to the LDAP server, instructor.example.com, using the distinguished name (DN) of dc=example,dc=com for account information.
  2. The LDAP server requires secure connections using the certificate found at ftp://instructor.example.com/pub/EXAMPLE-CA-CERT.
  3. The LDAP server provides an account named ldapuserX.
  4. Use Kerberos passwords with a realm EXAMPLE.COM for authentication.
  5. Set the KDC and Admin servers to instructor.example.com.
  6. The accounts have a password of kerberos.
  7. For the system-config-authentication GUI, choose LDAP in the User Account Database drop-down menu.
  8. Change the LDAP server to ldap://instructor.example.com.
  9. Select Use TLS To Encrypt Connections.
  10. Click on the Download CA Certificate... button and enter ftp://instructor/pub/EXAMPLE-CA-CERT.
  11. Change the KDCs and Admin Servers to instructor.example.com.
  12. Leave the other settings as they are and click Apply.

Configure a system as an iSCSI initiator that persistently mounts an iSCSI target

The iSCSI target will be on my server named server1.example.com (

yum -y groupinstall 'iSCSI Storage Client'
yum -y install iscsi-initiator-utilities

Start the target daemon and set it to start on boot

service iscsi start ; chkconfig iscsi on

Find the targets with:

iscsiadm -m discovery -t st -p

which is the same as:

iscsiadm --mode discovery --type sendtargets --portal --discover

Then log into the target:

iscsiadm --mode node --targetname iqn.2001-05.com.example:test --portal --login
service iscsi restart
fdisk -cul

Add the target information to /etc/fstab to make it persistent across reboots. Mount by UUID in case the device name changes between reboots.

Use the "blkid" command to get the UUID of the iSCSI disk. For example:
# blkid
/dev/sda1: UUID="f5e599d4-58e3-4352-8ed5-cba58c6670f0" TYPE="ext3"
/dev/sda2: UUID="UAghAU-hd4t-Mlq1-lIR5-V70T-wZFD-vS5dOs" TYPE="LVM2_member" 

Then in /etc/fstab:

UUID=54e1bd41-68d0-4804-94f8-1b255e53a88d    /iscsi    ext4    _netdev    0 0

FIREWALL: Since the client server will initiate this connection with the iSCSI host server, the firewall won't need a specific rule. All the packets will be "established,related".

SELINUX: Nothing that I can think of.

Produce and deliver reports on system utilization (processor, memory, disk, and network)

Use the "sar" command. This command has a large number of flags that can be combined. 

If you want to get everything, use:
sar -A
In order to get processor utilization statistics use:  (the first cpu is 0)

sar  or  sar -P cpunumber   or   sar -u ALL

In order to get memory usage statistics, use:
sar -rR
To get swap usage statistics, use:

sar -S
Arguably paging usage statistics are part of the memory, so:

sar -B
Get disk usage statistics with:

sar -b   or   sar -d  or even  sar -dp

Network usage statistics can be obtained with:

sar -n DEV    and    sar -n EDEVNote: There are over 15 different keyworks, (e.g. ICMP, EICMP,TCP, ETCP, etc) and you can normally add an E to the keyword to get the error statistics.

Run daily via cron for reports...For example, in /etc/cron.d/sysstat:
# run system activity accounting tool every 10 minutes
*/10 * * * * root /usr/lib64/sa/sa1 1 1
# generate a daily summary of process accounting at 23:53
53 23 * * * root /usr/lib64/sa/sa2 -A

Use shell scripting to automate system maintenance tasks
You will probably have to write some type of simple script that will produce the result requested in the exam objective. Could be anything. You better freshen up on basic BASH scripting skills.

Configure a system to log to a remote system
Add the following line to the end of /etc/rsyslog.conf:
*.*    @

The above example assumes that you want to log everything to a server on on port 514. 

Also…     @@ = TCP     @=UDP

and the default is UDP! Pay attention or the logging server won't get any messages. It won't hurt to configure the server to listen on both TCP & UDP sockets.

You can also log by category.priority (e.g. mail, cron, authentication, etc) 

Facilities: auth,authpriv,cron,daemon,kern,lpr,mail,mark,news,syslog,user,uucp,local0,local1,local2,local3,local4,local5,local6,local7
Priorities: debug,info,notice,warning,err,crit,alert,emerg

To log authentication (all priorities) to the same server:
authpriv.*       @@

Restart the logging daemon:
service rsyslog restart

You can test that the system is logging to the remote server with:
logger -p category.priority "remote logger"

FIREWALL: Packets will be "established,related"

Configure a system to accept logging from a remote system

Edit /etc/rsyslog.conf

Uncomment these lines to activate TCP remote logging

#$ModLoad imtcp.so
#$InputTCPServerRun 514

Update the firewall configuration:

iptables -I INPUT -p tcp --dport 514 -j ACCEPT; service iptables save

Restart the logging daemon:

service rsyslog restart

NOTE: You can use UDP instead of, or as well as, TCP.     man rsyslog 

FIREWALL: Open port 514 tcp/udp, maybe restrict by host or subnet

Network Services

Install the packages needed to provide the service

man yum
man 5 yum.conf

Learn how to use the yum command:

yum clean all
yum -y install packagename
yum remove packagename
yum list 
yum info packagename
yum groupinstall "Group Name"
yum groupinfo "Group Name"
yum repolist
yum localinstall package-ver-arch.rpm

Yum needs a repository from which to retrieve packages. Since the classroom has no internet access, you can assume the repository server is the instructors machine. You should be provided the basic info about the repository, so all you should need to do is create the yum.repo file on your host:

Add the following to the bottom of the /etc/yum.conf file (OR create a new file called /etc/yum.repos.d/myrepo.conf and add this to it):

name=Some name for this repository

Configure SELinux to support the service

Remember the SELINUX basics and how to use the various utilities...

yum -y install policycoreutils policycoreutils-python 
# getsebool -a | grep ssh
allow_ssh_keysign --> off
sftpd_write_ssh_home --> off
ssh_sysadm_login --> off
# setsebool -P allow_ssh_keysign [on|1] or [off|0]

When troubleshooting,  look for SELinux messages in the audit log:      /var/log/audit/audit.log

In order to address policy violations, you will need:      yum install policycoreutils-python policycoreutils-gui setools-console

View selinux context of files and processes with: 
ls -lZ
ps -AZ

Set selinux to enforcing:  setenforce 1
Set selinux to permissive:  setenforce 0
(Disabling SELinux is not recommended, and requires a reboot.)
See current state:  getenforce

To set mode for selinux persistent across reboots, edit /etc/selinux/config. Look for the line that starts with "SELINUX = ". Change the value shown to the value "enforcing". Save the file. You will have to reboot the system to test this!

Restore default context from currently loaded policy:   restorecon -RFvv filename

To permanently change the systems SELINUX policy:  semanage fcontext -a -t samba_share_t '/ALPHA(/.*)?'
This is so when you change the context of a file or directory, the change survives a reboot.


       # View SELinux user mappings
       $ semanage user -l
       # Allow joe to login as staff_u
       $ semanage login -a -s staff_u joe
       # Add file-context for everything under /web (used by restorecon)
       $ semanage fcontext -a -t httpd_sys_content_t "/web(/.*)?"
       # Allow Apache to listen on port 81
       $ semanage port -a -t http_port_t -p tcp 81
       # List all the ports 
       $ semanage port -l

man 1 sesearch   (sesearch allows the user to query a SELinux policy for type enforcement rules.)
man httpd_selinux  (most SELinux protected services have a name_selinux page)

Configure the service to start when the system is booted

chkconfig servicename [on|off]
chkconfig servicename --list   <--If you don't specify a service name, it will list all services installed

example:  chkconfig httpd --list

Configure the service for basic operation

Config files are usually in /etc or in a subdirectory of /etc named after the servicename (for example /etc/ssh/)
Use vi to edit these files. Learn how to open a file, change it, and then save it. Also learn how to close the file without saving changes (in case you mess up)
Remember which config files configure which service.

Configure host-based and user-based security for the service

IPTables or TCPWrappers: Doesn't matter which one you use, as long as the service is secured.
  • iptables
    • Config file is /etc/sysconfig/iptables
    • Learn the basic iptables commands
    • chkconfig iptables on ; service iptables start
    • man iptables
  • tcpwrappers
    • /etc/hosts.allow
    • /etc/hosts.deny
    • Remember that portmap is protected by tcpwrappers!
To verify if any program was compiled with TCP Wrappers support, run the following command (the following example is used on the ssh daemon):

  ldd /usr/sbin/sshd |grep libwrap
     libwrap.so.0 => /lib/libwrap.so.0 (0x0ffd6000)  <-- This output means yes

If we see in the result the libwrap library, then it means that the daemon was build with TCP Wrappers support.


If httpd is not installed:
yum -y install httpd

Set the correct SELinux booleans. Get the list with: getsebool -a | grep httpd
Use httpd_sys_content_t context for files.
Use http_port_t context for ports.

iptables -I INPUT -p tcp --dport 80 -j ACCEPT  <-- Unblock port 80 at the firewall
service iptables restart   <-- Always restart the firewall service after making changes
chkconfig httpd on    <-- Must be persistent across reboots
service httpd start

Configure a virtual host

At the bottom of the file /etc/httpd/conf/httpd.conf:

NameVirtualHost *:80
<VirtualHost *:80>
ServerName docs.example.com
DocumentRoot /var/www/virtual/docs
<VirtualHost *:80>
ServerName www.example.com
DocumentRoot /var/www/virtual/www

Add an entry for each virtual host on the server. The first one listed is the one that handles all generic requests.


Configure private directories

I figure you're either going to restrict access by looking at the source of the access request, or by requiring a userid/password combination.

This makes the server require a userid/password for access:

Configure /etc/httpd/conf/httpd.conf:

<Directory "/var/www/html/private">
        Options Indexes FollowSymLinks
        AuthType basic
        AuthName “private rhel1″
        AuthUserFile /etc/httpd/.rhel1_priv_user
        Require valid-user
        Order deny,allow
        Deny from all

Create a user/password file:

htpasswd -c /etc/httpd/.rhel1_priv_user user1  # This creates the file and adds user1
htpasswd /etc/httpd/.rhel1_priv_user user2     # This adds user2 to the existing file

If you need to look at the docs for this:
yum -y install httpd-manual elinks
cd /var/www/html/manual/
links auth.html

If you want to restrict access to a web directory based on the clients IP address, hostname or subnet:

<Directory /var/www/html/restricted/>
Order allow,deny
Allow from goomba.example.com
Allow from
Allow from
Allow from 127

Deploy a basic CGI application

vi /etc/httpd/conf/httpd.conf

In the Directory statement, change "Options None" to "Options ExecCGI":

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options ExecCGI
    Order allow,deny
    Allow from all

Uncomment this line:

AddHandler cgi-script .cgi

Hopefully, you will be provided a CGI application to put in place. If not, create one like this:

Create  /var/www/cgi-bin/hello.cgi, with content similar to:

print "Content-Type: text/plain", "\n\n";
print "Hello World in Perl", "\n";

Save the file to /var/www/cgi-bin, and set the correct permissions:
chown apache:apache /var/www/cgi-bin/hello.cgi
chmod 755 /var/www/cgi-bin/hello.cgi

Hopefully, you'll be able to see the output when you surf to: http://yourserver.example.com/cgi-bin/hello.cgi

Configure group-managed content

What this means to me is a directory shared among a group of users where everyone in the group can access existing files and create new ones. 

groupadd webdesigners

usermod -a -G webdesigners user1
usermod -a -G webdesigners user2
usermod -a -G webdesigners user3

mkdir /var/www/html/site1

chgrp webdesigners /var/www/html/site1

chmod 775 /var/www/html/site1
chmod g+s /var/www/html/site1

Configure a caching-only name server

yum install bind bind-chroot
iptables -A INPUT -m state -state NEW -m tcp -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -m state -state NEW -m udp -p udp --dport 53 -j ACCEPT

# grep " 53/tcp" /etc/services
domain          53/tcp                          # name-domain server

Edit /etc/named.conf:

listen-on port 53 { any; };
allow-query   { any; };

Also, disable DNSSec settings:

dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;

Save the config file.

And as always:

chkconfig named on

Add iptables rules:

iptables -I INPUT -p udp --dport 53 -j ACCEPT 
iptables -I INPUT -p tcp --dport 53 -j ACCEPT
service iptables save

Start the named service:

service named start

Configure a caching-only name server to forward DNS queries

Add the following configuration items to /etc/named.conf:

forwarders      {; };
forward only;

(Insert your own DNS IP address. Careful with the semi-colons)
Note: Candidates are not expected to configure master or slave name serversIn RHEL 5 we installed the package "caching-nameserver". In RHEL 6, it's included in the bind package. So you just install bind and bind-utils packages.

Configure anonymous-only download

Install the packages:
yum -y install vsftpd ftp
service vsftpd start
chkconfig vsftpd on
iptables -I INPUT -m multiport -p tcp --dport 20:21 -j ACCEPT
iptables-save > /etc/sysconfig/iptables

Test the configuration by using an ftp client to ftp to your host and log in as "anonymous".

The ip_conntrack_ftp module is needed for passive mode to work properly:
modprobe ip_conntrack_ftp; service vsftpd restart

If you need to go to where the modules are kept, the location is: /lib/modules/2.6.18-286.el5/kernel/net/ipv4/netfilter/

This will create the init script to load the module on reboot:
echo '#!/bin/bash
exec /sbin/modprobe ip_conntrack_ftp >/dev/null 2>&1
' >  /etc/sysconfig/modules/ip_conntrack_ftp.modules
chmod +x  /etc/sysconfig/modules/ip_conntrack_ftp.modules

Look in /etc/vsftpd/vsftpd.conf and make sure these settings are as follows:

If local users are going to be allowed to ftp in, then make SELinux happy:

getsebool -a | grep ftpd
setsebool -P ftp_home_dir 1

Usually, SELinux and IPTables will cause the most trouble with this. Pay attention to what ports you open in the firewall.

Provide network shares to specific clients

yum -y install nfs-utils
chkconfig nfs on
chkconfig nfslock on

Configure static lockd, statd, mountd, rquotad static ports in /etc/sysconfig/nfs

Open those ports, and the port for the portmapper and the nfs demon, in the firewall:

iptables -I INPUT -p tcp --dport 2049 -j ACCEPT
iptables -I INPUT -p udp --dport 2049 -j ACCEPT
iptables -I INPUT -p tcp --dport 111 -j ACCEPT
iptables -I INPUT -p udp --dport 111 -j ACCEPT
iptables -I INPUT -m multiport --dport 4001:4005 -j ACCEPT

Define the network share in /etc/exports, restrict which host, IP or network can access the share. 
For example:

   /thedir      *.example.com(rw,sync)
   /pub         *(ro,sync) host1.example.com(rw,sync)

Start the service:

service nfs start

After any time a change is made to /etc/exports:

exportfs -rav ;  service nfs restart
showmount -e

Provide network shares suitable for group collaboration

mkdir /groupdir
chmod 4755 /groupdir
echo "/groupdir     *(rw,sync)" >> /etc/exports

Edit the file /etc/sysconfig/nfs and define static ports for nfs to use
service nfs restart
exportfs -ra
showmount -e

Don't forget to declare portmap in /etc/hosts.allow if using tcpwrappers!

If using IPTABLES, define static ports in /etc/sysconfig/nfs, and then:

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 4001:4005 -j ACCEPTiptables -A INPUT -m state --state NEW -m udp -p udp --dport 4001:4005 -j ACCEPTiptables -A INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPTiptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT

Provide network shares to specific clients

Configuration file is: /etc/samba/smb.conf 
Install samba on the server:

yum -y install samba

(optional) For testing, install samba on the client:     yum -y install samba-client

Open the firewall for ports 139 (netbios-ssn) & 445 (microsoft-ds):

iptables -I INPUT -m multiport -p tcp --dport 139,445 -j ACCEPT

service iptables save
service iptables restart

Make sure that samba starts with the system:

chkconfig smb on
chkconfig nmb on

There are a few SELinux settings related to samba(default settings):

# getsebool -a | grep samba
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
use_samba_home_dirs --> off
virt_use_samba --> off

Note: There are bits of information regarding SELinux context noted in the samba config file.

You can now start samba with:
service smb start; service nmb start
If you want to create a share called ALPHA to all clients in your network, you'll need to edit /etc/samba/smb.conf like in this example:

        comment=A share for me
        path = /ALPHA
        browseable = yes
        writable = no
        valid users=user1
        hosts allow = 192.168.1.
        hosts deny =

This share will be available to all hosts in, except for 33 and also to

Don't forget to restart the services after any change to /etc/samba/smb.conf:

service smb restart ; service nmb restart

To test if it's working:

smbclient --list --user=user1

At this point, it probably doesn't work, and it's because of selinux...

Set the following SELinux setting to allow to list the files:
setsebool -P samba_export_all_ro 1
and if you want to set the share as writable, you'll also need this:
setsebool -P samba_export_all_rw 1
Remember to change the security context type of your shared directory, in my case:
chcon -t samba_share_t /ALPHA

Better make it persistent across reboots:

semanage fcontext -a -t samba_share_t '/ALPHA(/.*)?'
restorecon -RFvv /ALPHA

NOTE: semanage is part of the policycoreutils-python package.

You need to add the server user "user1" as a samba user user1:

smbpasswd -a user1
You can now,assuming that your server is, finally, mount the share with (you might need to install cifs-utils):

mount -t cifs -o username=user1,passwd=redhat // /alpha

You can also add an entry to /etc/fstab so it mounts at boot time (filesystem type is always cifs):

//     /alpha     cifs     credentials=/home/user1/.credentials     0 0

Then create a file called /home/user1/.credentials and put the userid and password to use when mounting the CIFS share:

echo -e "username=user1\password=redhat\n" > /home/user1/.credentials
chmod 0700 /home/user1/.credentials 
chown user1:webdesigners /home/user1/.credentials

Provide network shares suitable for group collaboration

Add a group called Users to my system and create a few users giving them the group Users as a supplemental group (e.g. useradd -G Users auser). 

Create a samba password for these users and then added the following to /etc/samba/smb.conf file:

    path = /myshareddirectory
    force group = +Users
    valid users = @Users myuser
    write list = @Users
    create mask = 0770
    force create mode =660

Set SELinux settings :

setsebool -P samba_export_all_ro 1
setsebool -P samba_export_all_rw 1

And the security context type:

semanage fcontext -a -t samba_share_t '/myshareddirectory(/.*)?'
restorecon -RFvv /myshareddirectory
Let's set ownerships and permissions:

chgrp Users /myshareddirectory/
chmod -R 770 /myshareddirectory/

You can now, assuming that your server is, finally, mount the share with (you might need to install cifs-utils):

mount.cifs // /test -o user=myuser

When you create a file now it should have rw permissions for both owner and group and thus files should be read and writeable for any users in the Users group.

-rw-rw----. 1 502 501 0 Jul  8 20:45 createdbyanotheruser
-rw-rw----. 1 501 501 0 Jul  8 21:02 createdbyauser

  • Configure a mail transfer agent (MTA) to accept inbound email from other systems
Postfix is normally installed by default. If it isn't:

yum -y install postfix mailx

iptables -I INPUT -p tcp --dport 25 -j ACCEPT ; service iptables save ; service iptables restart
SElinux setting (seems to be switched on by default):

# getsebool -a | grep postfix
allow_postfix_local_write_mail_spool --> on

Persistent across reboots and start:

chkconfig postfix on ; service postfix start

Edit the postfix configuration file (/etc/postfix/main.cf) and set/uncomment the following settings:

inet_interfaces = all
myhostname = server.example.com
mydomain = example.com
myorigin = $mydomain

Restart postfix and test
  • Configure an MTA to forward (relay) email through a smart host
Modify the following line in the postfix config file (/etc/postfix/main.cf), adding the ip address or hostname of the correct smarthost. For example:

relayhost =

This will relay emails to host


# getsebool -a | grep ssh
allow_ssh_keysign --> off
sftpd_write_ssh_home --> off
ssh_sysadm_login --> off


iptables -I INPUT -p tcp --dport 22 -j ACCEPT ; iptables-save ; service iptables restart

Configure key-based authentication
Configure /etc/ssh/sshd_config:

PubkeyAuthentication yes


ssh-copy-id -i ~/.ssh/id_dsa.pub myuser@host  <-- Sends the public key of "myuser" to "host"
ssh user@host

Configure additional options described in documentation
Look at the comments in /etc/ssh/sshd_config
Example of /etc/sysconfig/iptables

# Firewall configuration written by system-config-firewall   <-- (system-config-securitylevel-tui)
# Manual customization of this file is not recommended.
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW –s -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited