$ipchains -A input -p tcp --dport 80 -j ACCEPT
$ipchains -A input -p tcp -s $yourip --dport 22 -j ACCEPT
the suggestion in the post above is incorrect in that the port would still show as open when using certain port scanning techniques, even though connecting to it would not be trivial (but possible if the attacker had root access to a box on your ethernet segment, not too uncommon at hosting facilities)
as a sidenote, i always start ssh on some obscure port, such as 64321, in addition to limiting access to it. automatic scanning usually wont scan ports that high.
btw, did you remember to upgrade your: sshd, ssh, openssl, apache and php?
If a service is listening on a port it can show open to a port scan regardless of how the firewall is blocking it. If the firewall blocks it totally then it won't show open, but won't do any good because no one will be able to access it.
I agree that setting a default policy of deny and then opening up the access that you want is better practice, but personally do it both ways on different servers. Setting a policy to deny requires more care if you want to be able stop your firewall for any reason - you have to reset the policy before you flush your rules or you will be left with no access at all except from the console.
I also do not run SSH on port 22 for the same reasons, but what port you DO run it on should be kept private.
Like others have said, you can't do that with just one rule. You'll need two.
I agree that a strict firewall doesn't start with a DENY all TCP w/SYN, but rather a DENY ALL rule.
Don't forget to specify the interface for the rules if you have more than one!
-Mark Adams www.bitserve.com - Secure Michigan web hosting for your business.
Only host still offering a full money back uptime guarantee and prorated refunds.
Offering advanced server management and security incident response!