Okay I setup IPTABLES and want it to use the
/etc/sysconfig/iptables rule file as I am useing webmin and thats the file it updates. But I am geting a error. Here is what happens

[root@router rc3.d]# ./S09iptables restart
Flushing all current rules and user defined chains: [ OK ]
Clearing all current rules and user defined chains: [ OK ]
Applying iptables firewall rules: iptables-restore v1.2.6a: Line 3 seems to have a -t table option.

Try `iptables-restore -h' or 'iptables-restore --help' for more information.
[FAILED]
[root@router rc3.d]#


Okay here is the /etc/sysconfig/iptables file what am I doing wrong?

-------------------------
# Generated by iptables-save v1.2.5 on Wed Oct 16 17:47:42 2002
*nat
:PREROUTING ACCEPT [11:1351]
-A PREROUTING -t nat -p tcp -d 4.3.2.2 --dport 4899 -j DNAT --to 192.168.4.100:4899
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Oct 16 17:47:42 2002
# Generated by iptables-save v1.2.5 on Wed Oct 16 17:47:42 2002
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -m state -i eth0 -o eth1 --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -m state -i eth0 -o eth2 --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth2 -o eth0 -j ACCEPT
-A FORWARD -m state -i eth0 -o eth3 --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth3 -o eth0 -j ACCEPT
-A FORWARD -m state -i eth0 -o eth4 --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth4 -o eth0 -j ACCEPT
-A FORWARD -p tcp -m tcp -s 192.168.1.0/24 ! -d 192.168.1.0/24 --dport 41031:41900 -j REJECT
-A FORWARD -p tcp -m tcp -m state -i eth0 -o eth4 --dport 4899 --state NEW,ESTABLISHED,RELATED -j ACCEPT -tcp
COMMIT
# Completed on Wed Oct 16 17:47:42 2002
# Generated by webmin
*mangle
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
COMMIT
# Completed
-----------------------

What is wrong with this????

The third line is a rule.
It belongs after the last policy reference...
and doesn't have a '-t nat" in the line.
Sould be...

*nat
:PREROUTING ACCEPT [11:1351]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp -d 4.3.2.2 --dport 4899 -j DNAT --to 192.168.4.100:4899
COMMIT
# Completed on Wed Oct 16 17:47:42 2002

If you ask me you shouldn't be editing this file directly at all.

I think the best way is to create the rules through a script and then save them.

It's an interesting ruleset...

With a FORWARD policy ACCEPT, there is no need to write ACCEPT rules, unless your last rule is a DROP or REJECT
PREROUTING handles the destination changes.

I personally find it easier (& clearer) to always use interface references in rules so I can be sure which packets are being defined.
I will only make 1 rule when all 3 interfaces have the same definition.

So this line may be confusing unless you remember which packets you are refering to
-A FORWARD -p tcp -m tcp -s 192.168.1.0/24 ! -d 192.168.1.0/24 --dport 41031:41900 -j REJECT

I personally edit this file directly rather than using a script, to avoid having the delay of flushing and clearing and reloading.
I'll enter the rule by the command line then add it to this file if it works.
If you keep a good backup/copy habit going, you'll only make small mistakes...

Ahhh I see will this rule allow me to nat inbound to the hosting service at IP 192.168.4.100 on port 4899
4899=radmin for a win2k server..

Dunno if I am qualified enough to answer that...

I am used to Micro$oft using a lot of udp services and several ports, 1 for connect and 1 for data etc...
That rule will certainly pass the port, if all the conditions are met...

I don't usually do the -d x.x.x.x in the rule tho'.
I have separate filtering, eg 'rp_filter' and a "-d ! x.x.x.x -j DROP" to catch people trying to use me as a gateway from the internet.