i am by far no iptables guru, i've been using it for a while, and i've read quite a few tutorials/howtos/etc on it, and i understand some of the fundamentals but others just escape me. IMO the syntax is crap, but then again like anything else, its not bad if you get to know it. i need to look at ipf and ipfw sometime.
anyways here is my iptables script:
#!/bin/sh
#if needed change eth0 to your actual internet interface
INET_IP=`ifconfig eth0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/addr://'`
#same deal but lan interface
LAN_IP=`ifconfig eth1 | grep 'inet addr' | awk '{print $2}' | sed -e 's/addr://'`
IPT="/sbin/iptables"
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
echo 0 > /proc/sys/net/ipv4/ip_forward
$IPT -A INPUT -t filter -i lo -j ACCEPT
$IPT -A INPUT -t filter -i eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -t filter -i eth0 -m state --state NEW,INVALID -j DROP
#from lan
$IPT -A FORWARD -t filter -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -t filter -i eth0 -m state --state NEW,INVALID -j DROP
#nat
$IPT -A POSTROUTING -t nat -o eth0 -s 192.168.0.0/24 -d 0/0 -j MASQUERADE
##open ports
#ssh
$IPT -A FORWARD -t filter -p tcp -i eth0 --dport 22 -j ACCEPT
$IPT -A INPUT -t filter -p tcp -i eth0 --dport 22 -j ACCEPT
#mail
$IPT -A FORWARD -t filter -p tcp -i eth0 --dport 25 -j ACCEPT
$IPT -A INPUT -t filter -p tcp -i eth0 --dport 25 -j ACCEPT
#dns
$IPT -A FORWARD -t filter -p tcp -i eth0 --dport 53 -j ACCEPT
$IPT -A INPUT -t filter -p tcp -i eth0 --dport 53 -j ACCEPT
#http
$IPT -A FORWARD -t filter -p tcp -i eth0 --dport 80 -j ACCEPT
$IPT -A INPUT -t filter -p tcp -i eth0 --dport 80 -j ACCEPT
#others
$IPT -A FORWARD -t filter -p tcp -i eth0 --dport 300 -j ACCEPT
$IPT -A INPUT -t filter -p tcp -i eth0 --dport 300 -j ACCEPT
$IPT -A FORWARD -t filter -p tcp -i eth0 --dport 6667 -j ACCEPT
$IPT -A INPUT -t filter -p tcp -i eth0 --dport 6667 -j ACCEPT
#this is for bind, you dont need it, in fact i myself need to look up whether bind 9 still needs this..
$IPT -A INPUT -p UDP -s 0/0 --source-port 1024:65535 -j ACCEPT
$IPT -A INPUT -t filter -i eth0 -m state --state NEW,INVALID -j DROP
$IPT -A FORWARD -t filter -i eth0 -m state --state NEW,INVALID -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward