This is going to sound strange, but one of the best ways of learning IPtables is to have a local machine nearby and play with (graphical) firewall tools on it then examine what rulesets have been created as a result of experimentation. By having something close by, you have access to the console if the rules go wrong and lock you out.
The rules should be stored in /etc/sysconfig/iptables (or thereabouts).
I'd also say that many issues with rulesets is not the understanding of how they work, but a lack of clarity of final objectives. The rulesets merely set up a policy; by sitting down away from a computer and working out what that policy should look like (and a testplan accordingly), it's relatively easy to translate those into firewall rules.
In terms of your question, Radu - zony's ruleset ought to do the trick:
Code:
# Set the default policy of the INPUT chain to DROP
iptables -P INPUT DROP
## -- now override with specific "accept" rules:
## Accept incoming TCP connections from eth0 on port 20 and 21
iptables -A INPUT -i eth0 -p tcp --dport 20:21 -j ACCEPT
## Accept SSH connections
## (- although this could have been included above with 20:22)
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
## Accept incoming web connections
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
(by the way, I wouldn't leave 25 open - unless you're running a telnet honeypot)
Note that this will stop an IRCD server being installed (no open ports permitted to connect) but won't stop an IRCD bot working (no policy to block OUTPUT port connections), so you may want to consider that.
A strategy to prevent trojans being dropped and run in the /tmp dir is to create a separate /tmp slice and mount it with the NOEXEC option. Files will still be dropped in there, just that they can't run.
- have you conducted any more research upon how the server was compromised? I've got many different security measures in place to prevent this from happening (yes, it happened to me once)
Oh, and welcome to the forums!