Hi pls help me with this IP Tables,

I have arranged a small private LAN (192.168.1.0/24). Following are some specs I have configured,

192.168.1.10 dns
192.168.1.11 sendmail
192.168.1.12 apache | vsftp l smb
AND the clients 192.168.1.20 - 192.168.1.25

Apart from the above I want to allow SSH on all the machines.
And also allow pinging (SNMP) within the LAN.

In addition to the above I have a configured a GW
(outside eth1 192.168.0.100 and inside eth0 192.168.1.1)
I have already put some masquerade rules to allow my private LAN clients to access the internet thru the GW and it is working fine.

The rules are as follows,

iptables -t nat POSTROUTING -o eth1 -j MASQUERADE
iptabkes -A FORWARD -s 192.168.1.0/24 -j ACCEPT
iptabkes -A FORWARD -d 192.168.1.0/24 -j ACCEPT
iptabkes -A FORWARD -s ! 192.168.1.0/24 -j DROP

Considering the rules 3 and 4: I see a conflict, 3 says whatever the s but the d is the specified one then forward. And 4 says if the s is NOT the specified one then drop.
Does that mean that U first check the d, and if it is matching then U forward, otherwise then U check the s and if it is NOT matching U drop ? Is that correct?

OK. Now what I actually want is a set of RULES (separately for the SERVERS and Clients) to do ONLY the abovementioned and shutdown everything else.

Gee, thanx in advance

The rules are evaluated in the order, one after the next until the packet matches a terminating target (ACCEPT/DROP). Once the packet matches, no more rules will be evaluated. So rule order is very important. Your rules would look like this:
If source is 192.168.1.0/24 then forward
If destination is 192.168.1.0/24 then forward
If source is not 192.168.1.0/24 then drop packet.

I would at the very least recommend that you include in the rule the interface that the traffic should be passing through to reduce spoofing. Like this:
iptables -A FORWARD -i eth0 -s 192.168.1.0/24 -j ACCEPT
iptabkes -A FORWARD -i eth1 -d 192.168.1.0/24 -j ACCEPT

You'll also need to define default policies for the firewall and add rules to block traffic going to the firewall itself. This is a very minimal configuration you can use:
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -t nat POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth0 -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -i eth1 -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -s ! 192.168.1.0/24 -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

However, I would recommend removing the second to last rule as it is unnecessary. Also I'm kind of unsure of what kind of traffic you'd like to allow through the firewall. Do you only need the LAN system to be able access the internet or do you need to allow machines outside the LAN to have access to those services inside the LAN (dns, sendmail, apache)? If you only need to allow internet access to the clients, then you can tighten access even further.

To Capt_caveman
First of all sorry for replying late, I was out.
Thanx for your reply and pointing out to include the interfaces.

And the answer for your question is that: I only want the LAN to access the Internet thru my GW and nothing else. So, tell me how I can tighten the firewall further.

Thanx

In that case, this would restrict access further:
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -t nat POSTROUTING -o eth1 -j MASQUERADE
iptables -A FORWARD -i eth0 -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Keep in mind that this is a absolutely bare minimum script and I would recommend logging/dropping bad packets (like "new not syn" and the bogon IP addresses).