Yeah I thought I recognised some of it.
The lines like this will allow external people to fake internal ip sourced packets to your system, as your accepting from -s and not to a particular network card.
$IPT -A INPUT -s 192.168.4.0/24 -p tcp --destination-port 53 -j ACCEPT
$IPT -A INPUT -s 192.168.4.0/24 -p udp --destination-port 53 -j ACCEPT
To do it correctly you need two network cards, the first with the outside ip, the second with your internal ip.
Then only accept to the internal card.
example:
$IPT -A INPUT -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
"eth0 being the external interface."
or
$IPT -A INPUT -i eth1 -s 192.168.4.0/24 -p tcp --destination-port 53 -j ACCEPT
"eth1 been the internal interface."
Also your giving too much info away in the ICMP accepts.
On your external nic drop all ICMP's except:
--icmp-type required-option-missing -j ACCEPT
--icmp-type parameter-problem -j ACCEPT
--icmp-type ip-header-bad -j ACCEPT
--icmp-type TOS-host-unreachable -j ACCEPT
--icmp-type source-route-failed -j ACCEPT
--icmp-type network-unknown -j ACCEPT
--icmp-type echo-reply -j ACCEPT
Also drop this rule with the main ones.
Yours:
#Set default policies
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
Should be:
iptables -F
iptables -X
iptables -F -t nat
iptables -P INPUT DROP
# if you don't trust your network then DROP outputs and make rules"
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -i eth0 -p igmp -j LOG --log-level info --log-prefix "** Bad faked IGMP's **"
iptables -A FORWARD -i eth0 -p igmp -j DROP
iptables -P FORWARD DROP
Otherwise it looks ok.
/raz