For a CentOS web server that is not behind a firewall, I set up some Input chain iptables rules to open only port 80 from internet, allow SSH only from my IPs, and so on. On this server there is only Apache serving HTTP requests (port 80).
But what about Output chain? Is it a good practice to allow only the same ports that are allowed by Input chain?
Since Forward is not used, can I set the default policy to DROP?
Best Answer
Defaulting the Output chain to DROP without rules will stop all traffic from your server.
This link is to a very good guide on setting up iptables for ssh and http including the output chain, basically you need to make sure you allow the traffic from your machine on the ports you expect traffic from, in this case 22 and 80 plus any other services that might go out to the world (NTP, DNS etc)
http://www.thegeekstuff.com/2011/03/iptables-inbound-and-outbound-rules/