i use similar of that configuration (DROP as default policy) right now. my pc and other 3 pc are allowed to access internet for all ports. others can access http,ftp,https,nntp,1863,211,3050 ports. i did that for more security. and also i dont want users to play web games or listen to radio or watch tv via browser
hmmm. another way: u can edit iptables save file. it is "/etc/sysconfig/iptables" for redhat like systems. or if u have a script that does that, edit it. change palace of rules. but it is hard way, i think.
think like that :
first rule runs first. iptables checks if the packets match with first rule. if it match apply the 1. rule, it never check other rules. then second then 3. .... it goes like that. if packet doesnt match any of rule, it applies the default policy.
actually the last line your FORWARD chain is REJECT all. so it doesnt matter to add rules. because it will apply reject rule before and never look at the last rule that u added.
i think my suggestion is better. because the last rule will be able to be checked. after that, it will aply DROP rule as default policy. so it will be more easy to change rules.
dont u have a test boxes? tell your boss to buy test boxes for u. u need at least 2 right now