OK, from the rules you have you seem to be well versed IPTABLES. If not read this small HOWTO:
http://www.linuxguruz.com/iptables/h...s-HOWTO-1.html
What you should first do is write down in plain English syntax what you want your rules to do. i.e:
VPN incoming to port 1723 forwarded to 192.168.1.1:1723 - protocol TCP
SSH incoming port 22 - protocol TCP
SMTP incoming port 25 - protocol TCP
Then translate that into IPTABLES syntax and make a bash script. Include this at the beginning to erase all previous rules and zero the counters so you don't end up adding to the chains instead of replacing them.
# Flush Rules, get rid of any user-defined chains, zero counters:
iptables -F
iptables -F -t nat
iptables -X
iptables -Z
Since you dont want to any outbound filtering, you just have to set up the policies like so:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
Also it looks like your not writing your iptables in any sort of plaintext editor. I rather like to make all my rules in a bash script and then run it from /root. i.e /root/iptables
There really isn't anyway to make open ports stealth unless you limit where the connections can come from. But that all depends on the type of setup you require. Here is an excerpt from my script with comments on why its there or otherwise.
eth1 = internet interface
# Kernel Flags
echo 61 > /proc/sys/net/ipv4/ip_default_ttl # if the TTL needs to be higher - get a new ISP
echo "5" > /proc/sys/net/ipv4/tcp_syn_retries
echo "1" > /proc/sys/net/ipv4/tcp_rfc1337
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "1" > /proc/sys/net/ipv4/ip_forward
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > ${interface}
done
# Drop "unclean" packets, accept packets on the loopback interface - not sure what is does but sounds good
iptables -A INPUT -m unclean -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# SYN-flooding protection
iptables -N syn-flood
iptables -A INPUT -i eth1 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
# Make sure new tcp connections are SYN packets
iptables -A INPUT -i eth1 -p tcp ! --syn -m state --state NEW -j DROP
#Drop non-first fragments (after logging)
iptables -A INPUT -i eth1 -f -j LOG --log-prefix "IPTABLES fragments: "
iptables -A INPUT -i eth1 -f -j DROP
## Drop IP spoofing candidates
# from myself
iptables -A INPUT -i eth1 -s <yourself> -j DROP
# to loopback interface
iptables -A INPUT -i eth1 -d 127.0.0.0/8 -j DROP
# refuse broadcast address packets
iptables -A INPUT -i eth1 -d $broadcast -j DROP
#Stop un-possible networks - that either shoudn't be on your intra-net interface or on the internet interface!
iptables -A INPUT -d 172.16.0.0/12 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -s 172.16.0.0/12 -j DROP
iptables -A INPUT -d 10.0.0.0/8 -j DROP
iptables -A INPUT -s 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -s 10.0.0.0/8 -j DROP
Basically test and see, all rules not intended for everyone.
--tarballedtux