Well, here are some thoughts on this script. I am not at all sure that, if you make the recommended changes, that everything will then be wonderful, but I am sure that it will be different, and probably less broken.
1. On my servers, SSH uses TCP port 22, not 22000.
2. If your intent is to allow DNS queries out of your LAN onto the Internet, and then to permit their replies to return, you need rules in the FORWARD chain, not the INPUT and OUTPUT chains, because those chains are only considered if the destination or source (respectively) are the server itself. In addition, because some DNS clients issue queries with dport=53, sport=some_high_port_number. This implies that you need to allow the replies in like this:
Code:
iptables -A FORWARD -i ${extIf} -p udp -sport 53 -dport 1024:65535 -j ACCEPT
3. There seems to be some confusion about SNAT and DNAT in your rules. SNAT is best used to make traffic that originates on your LAN machines appear to come from the server, which has the link to the outside world. Therefore, your first NAT line should probably look like this:
Code:
iptables -t nat -A POSTROUTING -o ${extIf} -s ${desktop} -j SNAT --to-source ${server}
This will take care of connections originating on your desktop machine; you do not need to include any more rules, because any reply packet will automatically be intercepted by the NAT processing when it arrives at the server.
4. To handle forwarding of the given ports to your desktop when the originator is an external source, you need to do
port_forwarding, thus:
Code:
iptables -t nat PREROUTING -i ${extIf} -m multiport -dports ${desktopPorts} --to-destination ${desktop}
This rule will forward the specified list of ports to the desktop machine; that machine must specify the server as its default route, so that the replies will pass back through the server and be remapped to appear to have come from the server, not the desktop, address.
5. Once all this works, I think you may be able to eliminate, or at least tighten up, the FORWARD rules, so that you only allow particular kinds of traffic in from the Internet. This is a security measure, to eliminate several kinds of threats that depend on sending in packets to low-numbered ports in the hope that one of the attached daemons will have a bug in it that can be exploited.
6. As a rule, I include not only port qualifiers, but also protocol qualifiers in rules that are designed to permit traffic to and from a given daemon. Mostly, that will be TCP. The main UDP user you will probably need is the rules to permit DNS traffic.
Good luck.