OPens Port
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
When such a packet arrives, it sets a flag on the packet, that is belongs to some "known" connection. Then, the -m conntrack --ctstate ESTABLISHED in the firewall uses that flag and it will match any of those "known" packets. This way, you can match precisely replies to your outgoing packets, without even knowing in advance what they are, at the expense of maintaining the state.
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
Accept tcp packets on destination port 6881 (bittorrent)
iptables -A INPUT -p tcp --dport 6881 -j ACCEPT
Accept tcp packets on destination multiple ports 6881-6890
iptables -A INPUT -p tcp --dport 6881:6890 -j ACCEPT
This will open up port 22 (SSH) to all incoming tcp connections which poses a potential security threat as hackers could try brute force cracking on accounts with weak passwords. However, if we know the IP addresses of trusted remote machines that will be used to log on using SSH, we can limit access to only these source IP addresses. For example, if we just wanted to open up SSH access on our private lan (192.168.0.x), we can limit access to just this source IP address range:
Accept tcp packets on destination port 22 (SSH) from private LAN
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT
Too Display running ports openings - # iptables -S