if this is not in the right forum, please move as needed.

threw this in a bash script


/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP

logger -t iptables Flushing tables
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -F -t nat
/sbin/iptables -X
/sbin/iptables -Z

# create DUMP table
/sbin/iptables -N DUMP
/sbin/iptables -F DUMP
# limited logs
/sbin/iptables -A DUMP -p icmp -m limit --limit 1/m --limit-burst 5 -j LOG --log-prefix "IPT ICMPDUMP: "
/sbin/iptables -A DUMP -p tcp -m limit --limit 1/m --limit-burst 5 -j LOG --log-prefix "IPT TCPDUMP: "
/sbin/iptables -A DUMP -p udp -m limit --limit 1/m --limit-burst 5 -j LOG --log-prefix "IPT UDPDUMP: "

/sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset

#/sbin/iptables -A DUMP -p udp -j REJECT --reject-with--icmp-port-unreachable
/sbin/iptables -A DUMP -j DROP
/sbin/iptables -N STATEFUL
/sbin/iptables -F STATEFUL
/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A STATEFUL -m state --state NEW -i ! ${IFext} -j ACCEPT
/sbin/iptables -A STATEFUL -j DUMP
/sbin/iptables -N SSH
/sbin/iptables -F SSH
/sbin/iptables -A SSH -i ! ${IFext} -j RETURN
/sbin/iptables -A SSH -m recent --name SSH --set --rsource
/sbin/iptables -A SSH -m recent ! --rcheck --seconds 60 --hitcount 3 --name SSH --rsource -j RETURN
/sbin/iptables -A SSH -j DUMP
/sbin/iptables -N SYN-FLOOD
/sbin/iptables -F SYN-FLOOD
/sbin/iptables -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN
/sbin/iptables -A SYN-FLOOD -j DROP

/sbin/iptables -A INPUT -i ${IFext} -p tcp --syn -j SYN-FLOOD
/sbin/iptables -A INPUT -p tcp -i ${IFext} ! --syn -m state --state NEW -j DROP

# watch out for fragments
/sbin/iptables -A INPUT -i ${IFext} -f -j LOG --log-prefix "IPT FRAGMENTS: "
/sbin/iptables -A INPUT -i ${IFext} -f -j DROP

logger -t iptables Setting input/output rules
# allow loopback in
/sbin/iptables -A INPUT -i lo -j ACCEPT

# allow loopback and LAN out
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A OUTPUT -p ALL -s ${lannet} -j ACCEPT

/sbin/iptables -I INPUT -p tcp -i ${IFext} --dport ssh -m state --state NEW -j SSH

logger -t iptables Turning on NAT
# masquerade from internal network
/sbin/iptables -t nat -A POSTROUTING -s ${lannet} -o ${IFext} -j MASQUERADE

logger -t iptables Finish up
# push everything else to state table
/sbin/iptables -A INPUT -j STATEFUL
/sbin/iptables -A FORWARD -j STATEFUL
/sbin/iptables -A OUTPUT -j STATEFUL

/sbin/iptables -A INPUT -p tcp -i ${IFext} --dport ssh -m state --state NEW -j SSH
/sbin/iptables -A INPUT -p tcp -i ${IFext} --dport ssh -j ACCEPT

iptables -t nat -A PREROUTING -p tcp -i eth0 -d MY.IP.IM.HIDING --dport 54 -j DNAT --to
iptables -A INPUT -p tcp -m state --state NEW --dport 54 -i eth0 -j ACCEPT

generic rules found on the net and modded as needed. when i run this script ALL inbound connections from WAN are refused. the fowarding rule if NOT run in the script, try to conenct to 54 from wan, and it just "hangs". to undo all this i sem to need to have to run ipmasq. all outbound from LAN works fine, nat works as well. ubuntu 6.10 server.