i am runing debian. with smtp (postfix) name server (bind 9.x)
i want to open only needed ports. 53 udp (ns) 25 tcp (smtp)
is it right? or i have to open 53 tcp/udp and 25 tcp/udp.?
iptables -A FORWARD -d 213.157.20.62 -i eth1 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -d 213.157.20.62 -i eth1 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -d 213.157.20.62 -i eth1 -j DROP
ns does not work. smtp works but do not send messages. obnly reciving.
iptables -A FORWARD -d 213.157.20.62 -i eth1 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -d 213.157.20.62 -i eth1 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -d 213.157.20.62 -i eth1 -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -d 213.157.20.62 -i eth1 -j DROP
name server works. but smtp the same problem. what shouild i do? please help.

I don't know why you use FORWARD... Maybe INPUT would be better?

Try
iptables -P INPUT DROP
iptables -A INPUT -i eth1 -s my.dns.server.ip -p udp --sport 53 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m state --state NEW,INVALID -j DROP
iptables -A INPUT -i eth1 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
as a start.
FORWARD is used to filter packets being sent to other pc's.
Don't worry about the -d my.ip coz the rp_filter will take care of the bad destination numbers.

Regards,
Peter