I currently have a Linux router running Redhat 7.1 with the newest kernel and vs 1.2.4 of iptables.

I have a unusual router in that I have 3 NICs. Two are ext NICs which pull ips from a cable modem and then one int NIC supplying the internal lan.

I am just learning this whole process and I finally got my router fully functional except for the ftp server that I am running on my system behind the router. I cannot even connect to the server at all. I have tried loading the following Modules:
ip_conntrack_ftp
ip_nat_ftp
ip_conntrack
I also have several other modules running.

This is my setup:
eth0 --> int lan
eth1 --> ext lan
eth2 --> ext lan
I have this so that I can forward two different nt comps to diff ext ips for gaming purposes. The ftp server is running on 192.168.168.10 on port 2020. I also have a DHCP server running on the int NIC to provide IPs.

My current script is:
iptables --table nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables --table nat -A POSTROUTING -o eth2 -j MASQUERADE
iptables -A FORWARD -s 192.168.168.10 -o eth2 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

I am also looking at implementing a firewall script but so far don't have enough knowledge about how the others work to try it with my setup.

Desperately Confused

you need to do something called DNAT in order to forward external requests to your local ftp server.

## Change destination addresses of FTP traffic to 10.10.1.2, port 21.

iptables -t nat -A PREROUTING -p tcp --dport 21 -i $EXTIF \
-j DNAT --to 10.10.1.2:21
iptables -A FORWARD -i $EXTIF -o eth1 -p tcp -d 10.10.1.2 --dport 21 -j ACCEPT

this is how i do it. here $EXTIF(which is ppp0) is the external interface and eth1 is the internal interface. 10.10.1.2 is my internal ftp server and 21 is the internal servers ftp port.

I may be doing something wrong but that did not work for me.
I know the ftp server is connecting b/c when I use my int IP instead of my ftp server name it works fine.

ok then, do you have your /etc/hosts setup. you need to give the names of your computers and their ip's in this file so that it can map them.

I did that and now I know what you were talking about. I am talking about omething a little different. I registered with dyndns.org to get a ftp server name.
I can connect if I don't go out through the router and then back in(ie use int IP address), but I cannot connect if I use the ext IP or use the name from dyndns.
I know I must have something not configured right and somehow I am stopping the throughput of the ftp server.
any suggestions?

This is my routing/firewall script:

# starting DHCP server
echo " Starting DHCP Server on internal LAN"
dhcpd eth0

# internet
INET_IFACE1="eth1"
INET_IP1=`ifconfig $INET_IFACE1 | grep "inet addr:" | \awk -F: {'print $2'} | cut -d\ -f 1`
#echo "eth1 IP is $INET_IP1"
INET_IFACE2="eth2"
INET_IP2=`ifconfig $INET_IFACE2 | grep "inet addr:" | \awk -F: {'print $2'} | cut -d\ -f 1`
#echo "eth2 ip is $INET_IP2"

# internal
LAN_IP="192.168.168.1"
LAN_IFACE="eth0"
LAN_SUB="192.168.168/24"


# DNS's
DNS1="24.95.227.34"
DNS2="24.95.227.35"
iptables -F
iptables -X
iptables -F -t nat
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.tcp_max_syn_backlog=256
sysctl -w net.ipv4.tcp_syn_retries=5
sysctl -w net.ipv4.route.mtu_expires=512
sysctl -w net.ipv4.tcp_keepalive_time=7600
#sysctl -w net.ipv4.icmp_echoreply_rate=10
sysctl -w net.ipv4.tcp_fin_timeout=360
sysctl -w net.ipv4.tcp_rfc1337=1
echo 8176 > /proc/sys/net/ipv4/ip_conntrack_max
echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 128 > /proc/sys/net/ipv4/ip_default_ttl
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 262144 > /proc/sys/net/core/rmem_default
echo 262144 > /proc/sys/net/core/rmem_max
echo 262144 > /proc/sys/net/core/wmem_default
echo 262144 > /proc/sys/net/core/wmem_max
/sbin/depmod -a
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ipt_owner
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack


# full access to eth0 nic
iptables -A INPUT -p ALL -i eth0 -s $LAN_SUB -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_SUB -j ACCEPT

# routing specific IPs through eth1
iptables -I FORWARD -s 192.168.168.10 -o eth1 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT


# MASQ for eth1 to outside
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source $INET_IP1
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A FORWARD -i eth1 -p igmp -j DROP
iptables -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -p tcp --dport 443 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -p tcp --dport 8080 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -p tcp --dport 2020 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos 8
#echo "Priority delay set for DNS"
iptables -t mangle -A OUTPUT -p tcp --dport 53 -j TOS --set-tos 16


# drop nasty flags:
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level info --log-prefix "BAD FLAG !! L1"
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-level info --log-prefix "BAD FLAG !! L2"
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level info --log-prefix "BAD FLAG !! L3"
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level info --log-prefix "BAD FLAG !! L4"
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix "BAD FLAG !! L5"
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# SYN flood stuff
iptables -N syn-flood
iptables -A INPUT -i eth1 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j LOG --log-level info --log-prefix "SYN Flood stopped"
iptables -A syn-flood -j DROP

# Drop Private
iptables -A INPUT -i eth1 -p tcp --sport 1:1024 --dport 1:1024 -j LOG --log-level info --log-prefix "PRIVATE PORT L1"
iptables -A INPUT -i eth1 -p tcp --sport 1024:65535 --dport 1:1024 -j LOG --log-level info --log-prefix "PRIVATE PORT L2"
iptables -A INPUT -i eth1 -p tcp --sport 1024:65535 --dport 6000 -j LOG --log-level info --log-prefix "PRIVATE X PORT"
iptables -A INPUT -i eth1 -p tcp --sport 1024:65535 --dport 1:1024 -j DROP
iptables -A INPUT -i eth1 -p tcp --sport 1:1024 --dport 1:1024 -j DROP
iptables -A INPUT -i eth1 -p tcp --sport 1:1024 --dport 6000 -j DROP
iptables -A INPUT -i eth1 -p tcp --sport 1024:65535 --dport 6000 -j DROP

# SYN dropped
iptables -A INPUT -i eth1 -p tcp ! --syn -m state --state NEW -j LOG --log-level info --log-prefix "SYN DROPPED"
iptables -A INPUT -i eth1 -p tcp ! --syn -m state --state NEW -j DROP


# spoofing protection
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.0/16 -j LOG --log-level info --log-prefix "FAKE CLASS C"
iptables -t nat -A PREROUTING -i eth1 -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i eth1 -s 10.0.0.0/8 -j LOG --log-level info --log-prefix "FAKE CLASS A"
iptables -t nat -A PREROUTING -i eth1 -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i eth1 -s 172.16.0.0/12 -j LOG --log-level info --log-prefix "FAKE CLASS B"
iptables -t nat -A PREROUTING -i eth1 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j LOG --log-level info --log-prefix "FAKE CLASS C"
iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-level info --log-prefix "FAKE CLASS A"
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth1 -s 172.16.0.0/12 -j LOG --log-level info --log-prefix "FAKE CLASS B"
iptables -A INPUT -i eth1 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth1 -s 255.255.255.255 -j LOG --log-level info --log-prefix "FAKE CLASS E"
iptables -A INPUT -i eth1 -s 255.255.255.255 -j DROP
iptables -A INPUT -i eth1 -s 127.0.0.0/8 -j LOG --log-level info --log-prefix "FAKE LOCAL 127"
iptables -A INPUT -i eth1 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i eth1 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i eth1 -s 169.254.0.0/16 -j DROP
iptables -A INPUT -i eth1 -s 224.0.0.0/4 -j DROP
iptables -A INPUT -i eth1 -s 240.0.0.0/5 -j DROP
iptables -A INPUT -i eth1 -s 248.0.0.0/5 -j DROP
iptables -A INPUT -i eth1 -f -j LOG --log-level info --log-prefix "PACKET FRAGMENTED"
iptables -A INPUT -i eth1 -f -j DROP

# The weakest link
iptables -A INPUT -i eth1 -p tcp --sport 2020 -m state --state NEW,ESTABLISHED -j ACCEPT

# Active FTP
iptables -A INPUT -i eth1 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -s $DNS1 --sport 53 -d $INET_IP1 --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -s $DNS2 --sport 53 -d $INET_IP1 --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d $INET_IP1 --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d 10.50.28.4 --dport 1023:65535 -j ACCEPT

# ICMP
iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type address-mask-reply -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type required-option-missing -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type ip-header-bad -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type source-route-failed -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type network-unknown -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-reply -j ACCEPT

# Deny ICMP types inbound
iptables -A INPUT -i eth1 -p icmp --icmp-type destination-unreachable -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type network-unreachable -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type host-unreachable -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type protocol-unreachable -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type port-unreachable -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type fragmentation-needed -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type host-unknown -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type network-prohibited -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type host-prohibited -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type TOS-network-unreachable -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type communication-prohibited -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type host-precedence-violation -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type precedence-cutoff -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type source-quench -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type redirect -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type network-redirect -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type host-redirect -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type TOS-network-redirect -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type TOS-host-redirect -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j LOG --log-level info --log-prefix "PING REQUEST"
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type router-advertisement -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type router-solicitation -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type ttl-zero-during-transit -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type ttl-zero-during-reassembly -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type timestamp-reply -j ACCEPT
iptables -A INPUT -i eth1 -p icmp --icmp-type address-mask-request -j DROP

echo "NAT enabled for internal network on eth1"



################# eth2 ###########
# MASQ for eth2 to outside
iptables -t nat -A POSTROUTING -o eth2 -j SNAT --to-source $INET_IP2
iptables -A FORWARD -i eth2 -p igmp -j DROP

# SYN flood stuff
iptables -A INPUT -i eth2 -p tcp --syn -j syn-flood

# Drop Private
iptables -A INPUT -i eth2 -p tcp --sport 1:1024 --dport 1:1024 -j LOG --log-level info --log-prefix "PRIVATE PORT L1"
iptables -A INPUT -i eth2 -p tcp --sport 1024:65535 --dport 1:1024 -j LOG --log-level info --log-prefix "PRIVATE PORT L2"
iptables -A INPUT -i eth2 -p tcp --sport 1024:65535 --dport 6000 -j LOG --log-level info --log-prefix "PRIVATE X PORT"
iptables -A INPUT -i eth2 -p tcp --sport 1024:65535 --dport 1:1024 -j DROP
iptables -A INPUT -i eth2 -p tcp --sport 1:1024 --dport 1:1024 -j DROP
iptables -A INPUT -i eth2 -p tcp --sport 1:1024 --dport 6000 -j DROP
iptables -A INPUT -i eth2 -p tcp --sport 1024:65535 --dport 6000 -j DROP

# SYN dropped
iptables -A INPUT -i eth2 -p tcp ! --syn -m state --state NEW -j LOG --log-level info --log-prefix "SYN DROPPED"
iptables -A INPUT -i eth2 -p tcp ! --syn -m state --state NEW -j DROP


# spoofing protection
iptables -A FORWARD -i eth2 -j ACCEPT
iptables -t nat -A PREROUTING -i eth2 -s 192.168.0.0/16 -j LOG --log-level info --log-prefix "FAKE CLASS C"
iptables -t nat -A PREROUTING -i eth2 -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i eth2 -s 10.0.0.0/8 -j LOG --log-level info --log-prefix "FAKE CLASS A"
iptables -t nat -A PREROUTING -i eth2 -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i eth2 -s 172.16.0.0/12 -j LOG --log-level info --log-prefix "FAKE CLASS B"
iptables -t nat -A PREROUTING -i eth2 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth2 -s 192.168.0.0/16 -j LOG --log-level info --log-prefix "FAKE CLASS C"
iptables -A INPUT -i eth2 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth2 -s 10.0.0.0/8 -j LOG --log-level info --log-prefix "FAKE CLASS A"
iptables -A INPUT -i eth2 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth2 -s 172.16.0.0/12 -j LOG --log-level info --log-prefix "FAKE CLASS B"
iptables -A INPUT -i eth2 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth2 -s 255.255.255.255 -j LOG --log-level info --log-prefix "FAKE CLASS E"
iptables -A INPUT -i eth2 -s 255.255.255.255 -j DROP
iptables -A INPUT -i eth2 -s 127.0.0.0/8 -j LOG --log-level info --log-prefix "FAKE LOCAL 127"
iptables -A INPUT -i eth2 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i eth2 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i eth2 -s 169.254.0.0/16 -j DROP
iptables -A INPUT -i eth2 -s 224.0.0.0/4 -j DROP
iptables -A INPUT -i eth2 -s 240.0.0.0/5 -j DROP
iptables -A INPUT -i eth2 -s 248.0.0.0/5 -j DROP
iptables -A INPUT -i eth2 -f -j LOG --log-level info --log-prefix "PACKET FRAGMENTED"
iptables -A INPUT -i eth2 -f -j DROP

# The weakest link
iptables -A INPUT -i eth2 -p tcp --sport 2020 -m state --state NEW,ESTABLISHED -j ACCEPT

# Active FTP
iptables -A INPUT -i eth2 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -s $DNS1 --sport 53 -d $INET_IP2 --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -s $DNS2 --sport 53 -d $INET_IP2 --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d $INET_IP2 --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d 10.50.28.4 --dport 1023:65535 -j ACCEPT

# ICMP
iptables -A OUTPUT -o eth2 -p icmp -j ACCEPT
iptables -A INPUT -i eth2 -p icmp --icmp-type address-mask-reply -j ACCEPT
iptables -A INPUT -i eth2 -p icmp --icmp-type required-option-missing -j ACCEPT
iptables -A INPUT -i eth2 -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -i eth2 -p icmp --icmp-type ip-header-bad -j ACCEPT
iptables -A INPUT -i eth2 -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -i eth2 -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
iptables -A INPUT -i eth2 -p icmp --icmp-type source-route-failed -j ACCEPT
iptables -A INPUT -i eth2 -p icmp --icmp-type network-unknown -j ACCEPT
iptables -A INPUT -i eth2 -p icmp --icmp-type echo-reply -j ACCEPT

# Deny ICMP types inbound
iptables -A INPUT -i eth2 -p icmp --icmp-type destination-unreachable -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type network-unreachable -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type host-unreachable -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type protocol-unreachable -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type port-unreachable -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type fragmentation-needed -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type host-unknown -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type network-prohibited -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type host-prohibited -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type TOS-network-unreachable -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type communication-prohibited -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type host-precedence-violation -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type precedence-cutoff -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type source-quench -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type redirect -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type network-redirect -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type host-redirect -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type TOS-network-redirect -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type TOS-host-redirect -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j LOG --log-level info --log-prefix "PING REQUEST"
iptables -A INPUT -i eth2 -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type router-advertisement -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type router-solicitation -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type ttl-zero-during-transit -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type ttl-zero-during-reassembly -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -i eth2 -p icmp --icmp-type timestamp-reply -j ACCEPT
iptables -A INPUT -i eth2 -p icmp --icmp-type address-mask-request -j DROP

echo "NAT enabled for internal network on eth2"