This is my first endeavor with IPTables in many years. I've successfully installed the Sveasoft Alchemy firmware onto my WRT54G Linksys router. What I'm looking for here is a 2nd pair of eyes that is more familiar with IPTables to look over my ruleset before I actually implement them. I'm hoping that someone/anyone can point out inconsistancies/errors/security holes that I may be introducing into my router and LAN. I've documented what every ruleset should be (as far as I know). In a nutshell, I'm just looking for feedback on these rules. Any input would be greatly appreciated..
One thing that I need clarified is the different between DROP and DROPl (lower case L in the 2nd DROP....)
Thanks in advance......
For easier reading, I've placed it on my server:
http://www.skepticshour.com/extra/firewall.txt
Code:
##
## Some basic information on my network:
##
## My ISP has assigned me 2 public IP addresses
##
## One IP address is designated for all LAN traffic (assigned to WAN/vlan1/eth0)
## not including any one-to NAT mappings.
##
## One IP address is designated for a one-to-one NAT map (virtual, assigned to vlan1:1/eth0:1)
## for my public server. PUBLIC_IP_#2 --> 192.168.4.x
##
## Private LAN subnet is: 192.168.4.0/24
##
## ** WAN == vlan1 == eth0
## ** LAN == br0
## The above port names are all the same device, respectively. NOTE: To configure the interfaces,
## it is vlan1 and br0.
##
##
## Configure vlan1 with both IPs (or more)
## Add IP address to WAN interface (virtual IP)
## The first one will always be the interface IP,
## while the rest are simply virtual IPs for that interface....
## The following 2 commands are specific to the router (or maybe not)
##
/usr/sbin/ifconfig vlan1 PUBLIC_IP_#1/24 netmask 255.255.255.0
/usr/sbin/ip addr add PUBLIC_IP_#2/24 brd + dev vlan1
##
## Flush rules and delete chains
##
/usr/sbin/iptables -F
/usr/sbin/iptables -X
##
## Block out Internet access on vlan1
##
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P OUTPUT DROP
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -A INPUT -i vlan1 -m state --state NEW,INVALID -j DROP
/usr/sbin/iptables -A FORWARD -i vlan1 -m state --state NEW,INVALID -j DROP
##
## Now we are going to accpet all traffic from our loopback device
## if the IP matches any of our interfaces.
##
/usr/sbin/iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
/usr/sbin/iptables -A INPUT -i lo -s vlan1 -j ACCEPT
/usr/sbin/iptables -A INPUT -i lo -s br0 -j ACCEPT
##
## Block Broadcasts
##
/usr/sbin/iptables -A INPUT -i vlan1 -d 255.255.255.255 -j DROPl
/usr/sbin/iptables -A INPUT -i br0 -d 192.168.4.255 -j DROPl
/usr/sbin/iptables -A OUTPUT -o vlan1 -d 255.255.255.255 -j DROPl
/usr/sbin/iptables -A OUTPUT -o br0 -d 192.168.4.255 -j DROPl
/usr/sbin/iptables -A FORWARD -o vlan1 -d 255.255.255.255 -j DROPl
/usr/sbin/iptables -A FORWARD -o br0 -d 192.168.4.255 -j DROPl
##
## Block WAN access to internal network
## *****
## I'm unsure about this one. Should I replace
## the PUBLIC_IPs to my internal subnet?????
## *****
##
/usr/sbin/iptables -A INPUT -i vlan1 -d ! PUBLIC_IP_#2 -j DROPl
/usr/sbin/iptables -A INPUT -i vlan1 -d ! PUBLIC_IP_#1 -j DROPl
OR
/usr/sbin/iptables -A INPUT -i vlan1 -d ! 192.168.4.0/255.255.255.0 -j DROPl
/usr/sbin/iptables -A INPUT -i vlan1 -d ! 192.168.4.0/255.255.255.0 -j DROPl
##
## Block all addresses except local networks
##
/usr/sbin/iptables -A INPUT -i br0 -s ! 192.168.4.0/255.255.255.0 -j DROPl
/usr/sbin/iptables -A OUTPUT -o br0 -d ! 192.168.4.0/255.255.255.0 -j DROPl
/usr/sbin/iptables -A FORWARD -i br0 -s ! 192.168.4.0/255.255.255.0 -j DROPl
/usr/sbin/iptables -A FORWARD -o br0 -d ! 192.168.4.0/255.255.255.0 -j DROPl
##
## Block popular attacks to TCP ports
## All rules here were found elsewhere
##
/usr/sbin/iptables -A INPUT -p tcp --dport 0:1 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 0:1 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 0:1 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 13 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 13 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 13 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 98 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 98 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 98 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 111 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 111 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 111 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 137:139 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 137:139 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 137:139 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 161:162 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 161:162 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 161:162 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 445 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 445 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 445 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 1214 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 1214 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 1214 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 1999 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 1999 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 1999 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 2049 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 2049 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 2049 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 3049 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 3049 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 3049 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 3821 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 3821 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 3821 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 4329 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 4329 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 4329 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 6346 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 6346 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 6346 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 8000 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 8000 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 8000 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 8008 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 8008 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 8008 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 8080 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 8080 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 8080 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 12345 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 12345 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 12345 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 65535 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 65535 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 65535 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 98 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 98 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 98 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 512:515 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 512:515 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 512:515 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 1080 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 1080 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 1080 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 6000:6009 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 6000:6009 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 6000:6009 -j DROPl
/usr/sbin/iptables -A INPUT -p tcp --dport 6112 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 6112 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 6112 -j DROPl
##
## Block popular attacks to UCP ports
## All rules here were found elsewhere
##
/usr/sbin/iptables -A INPUT -p udp --dport 0:1 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 0:1 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 0:1 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 13 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 13 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 13 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 98 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 98 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 98 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 111 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 111 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 111 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 137:139 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 137:139 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 137:139 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 161:162 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 161:162 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 161:162 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 445 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 445 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 445 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 1214 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 1214 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 1214 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 1999 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 1999 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 1999 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 2049 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 2049 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 2049 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 3049 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 3049 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 3049 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 3128 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 3128 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 3128 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 4329 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 4329 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 4329 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 6346 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 6346 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 6346 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 8000 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 8000 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 8000 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 8008 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 8008 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 8008 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 8080 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 8080 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 8080 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 12345 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 12345 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 12345 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 65535 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 65535 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 65535 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 161:162 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 161:162 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 161:162 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 520 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 520 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 520 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 123 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 123 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 123 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 517:518 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 517:518 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 517:518 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 1427 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 1427 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 1427 -j DROPl
/usr/sbin/iptables -A INPUT -p udp --dport 9000 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 9000 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 9000 -j DROPl
##
## Allow LAN to use TCP services
##
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport domain --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport ssh --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport http --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport https --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport ftp --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport ftp-data --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport mail --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport pop3 --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport time --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport rsync --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport domain --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport ssh --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport http --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport https --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport ftp --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport ftp-data --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport mail --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport pop3 --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport time --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport rsync --syn -m state --state NEW -j ACCEPT
##
## Allow LAN to use UDP services
##
/usr/sbin/iptables -A OUTPUT -o vlan1 -p udp -s PUBLIC_IP_#1 --dport domain -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p udp -s PUBLIC_IP_#1 --dport time -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p udp -s 192.168.4.0/255.255.255.0 --dport domain -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p udp -s 192.168.4.0/255.255.255.0 --dport time -m state --state NEW -j ACCEPT
##
## Allow router and internal network to ping the outside world
##
/usr/sbin/iptables -A OUTPUT -o vlan1 -p icmp -s PUBLIC_IP_#1 --icmp-type 8 -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p icmp -s 192.168.4.0/255.255.255.0 --icmp-type 8 -m state --state NEW -j ACCEPT
##
## Allow firewall to ping internal systems
##
/usr/sbin/iptables -A OUTPUT -o br0 -p icmp -s 192.168.4.0/255.255.255.0 --icmp-type 8 -m state --state NEW -j ACCEPT
##
## Block outbound ICMP (except for PING)
##
/usr/sbin/iptables -A OUTPUT -o vlan1 -p icmp --icmp-type ! 8 -j DROPl
/usr/sbin/iptables -A FORWARD -o vlan1 -p icmp --icmp-type ! 8 -j DROPl
##
## Block all inbound ICMP from internet
##
/usr/sbin/iptables -A INPUT -d ! 192.168.4.0/255.255.255.0 -p icmp -j DROPl
##
## Enable masquerading to allow LAN internet access
##
/usr/sbin/iptables -t nat -A PREROUTING -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -o vlan1 -s 192.168.4.0/255.255.255.0 -j MASQUERADE
/usr/sbin/iptables -t nat -A POSTROUTING -j ACCEPT
/usr/sbin/iptables -t nat -A OUTPUT -j ACCEPT
##
## Forward LAN traffic from br0 to Internet interface vlan1
##
/usr/sbin/iptables -A FORWARD -i br0 -o vlan1 -m state --state NEW,ESTABLISHED -j ACCEPT
##
## Allowing access to sshd from local network only
##
/usr/sbin/iptables -A INPUT -s 192.168.4.0/255.255.255.0 --protocol tcp --dport 22 -j ACCEPT
##
## Allowing access httpd from local network only
##
/usr/sbin/iptables -A INPUT -s 192.168.4.0/255.255.255.0 --protocol tcp --dport 80 -j ACCEPT
##
## Forward specific ports to internal nodes
## Forwarding these requests are based on requests
## made to PUBLIC_IP_#1
##
/usr/sbin/iptables -I PREROUTING -t nat -d PUBLIC_IP_#1 --dports 4661:4672 -j DNAT --to-destination 192.168.4.20
/usr/sbin/iptables -I PREROUTING -t nat -d PUBLIC_IP_#1 --dports 5631:5632 -j DNAT --to-destination 192.168.4.241
/usr/sbin/iptables -I PREROUTING -t nat -d PUBLIC_IP_#1 --dports 6900:6981 -j DNAT --to-destination 192.168.4.20
/usr/sbin/iptables -I PREROUTING -t nat -d PUBLIC_IP_#1 --dports 8002:8004 -j DNAT --to-destination 192.168.4.241
##
## One-to-one NAT mapping
##
/usr/sbin/iptables -I PREROUTING -t nat -d PUBLIC_IP_#2 -j DNAT --to-destination 192.168.4.240
##
## Allow outside requests to services be forwarded
##
/usr/sbin/iptables -I FORWARD -d 192.168.4.240 --protocol tcp --dport 21 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 192.168.4.240 --protocol tcp --dport 25 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 192.168.4.240 --protocol udp --dport 53 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 192.168.4.240 --protocol tcp --dport 80 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 192.168.4.240 --protocol tcp --dport 110 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 192.168.4.240 --protocol tcp --dport 420 -j ACCEPT
##
## Outbound NAT
##
/usr/sbin/iptables -I POSTROUTING -t nat -s 192.168.4.240 -j SNAT --to PUBLIC_IP_#2
##
## Drop all packets to destination/sources not specified in
## previous rules
##
/usr/sbin/iptables -A INPUT -j DROPl
/usr/sbin/iptables -A OUTPUT -j DROPl
/usr/sbin/iptables -A FORWARD -j DROPl