Please check my work. I miss somthing (iptables)
 

PATH=/usr/sbin:/sbin:/bin:/usr/bin
# Setting interface variables
WAN="eth0"
LAN="eth1"

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Layer 4 state checking
iptables -N state-checking
iptables -A state-checking -m state --state INVALID -j DROP
iptables -A state-checking -p tcp -m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
iptables -A state-checking -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A state-checking -p udp -m udp -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A state-checking -p tcp -m tcp -m state --state RELATED,ESTABLISHED -j ACCEPT

#
# Some ip range checking
#
iptables -N local-only
iptables -A local-only -i lo -j ACCEPT
iptables -A local-only -i $LAN -s 192.168.0.0/24 -j ACCEPT
iptables -A local-only -i $LAN -d 192.168.0.0/24 -j ACCEPT
iptables -A local-only -i $WAN -s 0.0.0.0/8 -j DROP
iptables -A local-only -i $WAN -s 127.0.0.0/8 -j DROP
iptables -A local-only -i $WAN -s 10.0.0.0/8 -j DROP
iptables -A local-only -i $WAN -s 169.254.0.0/16 -j DROP
iptables -A local-only -i $WAN -s 172.16.0.0/12 -j DROP
iptables -A local-only -i $WAN -s 192.0.2.0/24 -j DROP
iptables -A local-only -i $WAN -s 192.168.0.0/16 -j DROP
iptables -A local-only -i $WAN -s 224.0.0.0/3 -j DROP
[/COLOR]
#
# Network Address Translation
#

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o $LAN -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i $WAN -o $LAN -j DROP

iptables -P INPUT DROP
iptables -A INPUT -j state-checking
iptables -A INPUT -j local-only

iptables -P FORWARD DROP
iptables -A FORWARD -j state-checking
iptables -A FORWARD -j local-only
iptables -A FORWARD -i $LAN -j ACCEPT

# Bringing up interfaces
dhclient $WAN
ifconfig $LAN 192.168.0.254/24

# Setting up DNS
echo "nameserver 208.67.222.222" > /etc/resolv.conf
echo "nameserver 208.67.220.220" >> /etc/resolv.conf
echo "nameserver 8.8.8.8" >> /etc/resolv.conf
echo "nameserver 8.8.4.4" >> /etc/resolv.conf

Thinking

# Masquerade.
iptables -t nat -A POSTROUTING -o $LAN -j MASQUERADE

should become

# Masquerade.
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

You're right about the MASQUERADE rule; it needs to match traffic exiting the WAN interface.

Please use [code][/code] tags around code, scripts, logs etc. as it greatly improves readability.

Check state or flags, not both. The last rule is pointless, as you're matching "packets without the SYN flag set and the FIN/RST/ACK flags set, matching the state NEW". No packet can possibly match those criteria.

Unless you deliberately want to exclude non-TCP/UDP sessions (like responses to ICMP pings), you might as well delete the "-p udp -m udp" part from the first of these two rules, and omit the second rule.

Some of these rules are not required. Invalid addresses like 0.0.0.0/0 and 127.0.0.0/8 ("martians") are dropped by the IP stack. Not sure why you're blocking all multicast addresses; should that perhaps be 224.0.0.0/8 (link-local multicast)?

Also, the "-i lo -j ACCEPT" rule really, really, REALLY needs to be at the top of the INPUT chain, and not in a user-defined chain called further down the line.

OK, you just allowed all traffic from the LAN to the Internet...

...and then you summarily block everything going in the opposite direction, including reply packets. The result will be that nothing will work.

This looks OK (but as I mentioned, the loopback rule should be the first rule in the INPUT chain).

No packets will ever reach this part of the FORWARD chain, as they will either have been allowed by the blanket ACCEPT rule for LAN-to-WAN traffic, or blocked by the DROP rule covering all WAN-to-LAN traffic.