Below is a 'template' firewall for a single server HSphere install

Notes:
192.168.1.1 is the example base IP address of the server, You need to change this
192.168.1.2 is *your* IP address. You *must* change this otherwise you'll lock yourself out of the server.
This example would be saved to file /etc/sysconfig/iptables
You need to load the ip_conntrack_ftp module into the kernel when iptables is started. You add this module name in /etc/rc.d/init.d/iptables
Change;
IPTABLES_MODULES=""
To;
IPTABLES_MODULES="ip_conntrack_ftp"


################################################## #####
*filter
:FORWARD ACCEPT [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
:BLOCK_NET - [0:0]
# Handle Passive FTP (remember to enable ip_conntrack_ftp module)
-A OUTPUT -p tcp -m tcp -m state --dport 1024:65535 --sport 1024:65535 --state RELATED,ESTABLISHED -j ACCEPT
# Server Base IP address
-A INPUT -s 192.168.1.1 -j ACCEPT
-A INPUT -i lo -j ACCEPT
# Management IPs (VERY IMPORTANT TO PUT YOUR IP HERE otherwise you'll be locked out)
-A INPUT -s 192.168.1.2 -j ACCEPT
# End Management IPs
# Run Block bad networks chain
-A INPUT -j BLOCK_NET
# Handle Passive FTP (remember to enable ip_conntrack_ftp module in the iptables init script)
-A INPUT -p tcp -m tcp -m state --dport 1024:65535 --sport 1024:65535 --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j DROP
-A INPUT -p tcp -m tcp --dport 135 -j DROP
-A INPUT -p tcp -m tcp --dport 136 -j DROP
-A INPUT -p tcp -m tcp --dport 137 -j DROP
-A INPUT -p tcp -m tcp --dport 138 -j DROP
-A INPUT -p tcp -m tcp --dport 139 -j DROP
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 161 -j DROP
-A INPUT -p udp -m udp --dport 161 -j DROP
-A INPUT -p tcp -m tcp --dport 162 -j DROP
-A INPUT -p udp -m udp --dport 162 -j DROP
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 445 -j DROP
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 593 -j DROP
-A INPUT -p tcp -m tcp --dport 777 -j DROP
-A INPUT -p tcp -m tcp --dport 778 -j DROP
-A INPUT -p tcp -m tcp --dport 837 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1025 -j DROP
-A INPUT -p tcp -m tcp --dport 1080 -j DROP
-A INPUT -p tcp -m tcp --dport 1434 -j DROP
-A INPUT -p tcp -m tcp --dport 1433 -j DROP
-A INPUT -p tcp -m tcp --dport 3128 -j DROP
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4321 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4444 -j DROP
-A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 6667 -j DROP
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -p udp -m udp --dport 137:138 --sport 137:138 -j DROP
# Logging to /var/log/messages
-A INPUT -p tcp -m tcp -j LOG --log-prefix "AUDIT TCP "
-A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m udp -j LOG --log-prefix "AUDIT UDP "
-A INPUT -p udp -m udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p icmp -m icmp --icmp-type 8 -j LOG
-A INPUT -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-host-unreachable
# Bad networks we don't want traffic from
# E.G.
# -A BLOCK_NET -s 218.24.0.0/15 -j DROP
-A INPUT -j LOG --log-prefix "AUDIT "
COMMIT
# mangle section
*mangle
:PREROUTING ACCEPT [1591876424:227299011220]
:INPUT ACCEPT [1591816598:227294667655]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1765890237:977040975279]
:POSTROUTING ACCEPT [1765890154:977040909847]
COMMIT
# NAT section
*nat
:PREROUTING ACCEPT [10032111:558215684]
:POSTROUTING ACCEPT [5152283:290989829]
:OUTPUT ACCEPT [3923347:241838349]
COMMIT
################################################## #####