Need help with Firewall Script

I just cant figure out what I am doing wrong.
Its to allow NAT for my OpenVZ Boxes.

Code:

---

#!/bin/bash
#Allow some stuff.
echo 1 > /proc/sys/net/ipv4/ip_forward
##Anti-Flooding
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Here we start our Setup.
#Standaart we Drop All
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#Then we Flush All.
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat

#Accept to FORWARD from eth0 to venet00
iptables -A FORWARD -i venet00 -o eth0 -j ACCEPT

# Allow all inputs to firewall from the internal network and local interfaces
#iptables -A OUTPUT -i venet00 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

# Deny any packet coming in on the public internet interface eth0  which has a spoofed source address from our local networks:
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP

# Accept all tcp SYN packets from interesting protocols.
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 80 --syn -j ACCEPT        #HTTP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 443 --syn -j ACCEPT      #HTTPS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 --syn -j ACCEPT        #SSH
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 5900/6000 --syn -j ACCEPT #VNC
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 110 --syn -j ACCEPT #POP3
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 25 --syn -j ACCEPT #SMTP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 143 --syn -j ACCEPT #IMAP

# For DHCP server:
#iptables -A INPUT -i eth1 -p tcp --sport 68 --dport 67 -j ACCEPT
#iptables -A INPUT -i eth1 -p udp --sport 68 --dport 67 -j ACCEPT

# Finally, DENY all connection requests to any UDP port not yet provided
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j ICMP

---

Any help can save me a job :P
Cheers,
Robin

> Are you using iptables logging to see where packets are getting blocked?

> I think this diagram will help. Note that packets not bound for the local machine don't go thru the INPUT chain.

> Any remote machine will not have a route to the network the NAT'ed machines are on. Because of that, you need to either use SNAT or MASQUERADE for packets going out from the NAT machines.

> Instead of using specific TCP flags, you may want to simplify and use the match state options with NEW, RELATED, and ESTABLISHED.

Small iptables script for a gateway machine. (This is a simple setup, but it works.)

Code:

---

### Firewall Startup Script ###
# Define networks first:

EXT_IFACE="eth0"
EXT_IP="10.66.X.X"

INT_IFACE="eth1"
INT_IP="172.0.10.1"

# Load all of the IPTABLES modules:
modprobe ip_conntrack
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe iptable_nat

# Flush the tables in case something is there:
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

# Set the default policies - DROP/ACCEPT
iptables -P INPUT DROP
# iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

# Drop/Create DROP_LOG chain:
iptables -X DROP_LOG
iptables -N DROP_LOG

# Allow anything going to/from the loopback interface:
iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT

##############################
# This builds the INPUT rules:

# Allow anything from internal network:
iptables -A INPUT -i $INT_IFACE -s 172.0.10.0/24 -j ACCEPT

# Allow SSH from any 10.X address going to EXT_IP:
iptables -A INPUT -i $EXT_IFACE -p tcp -s 10.0.0.0/8 -d $EXT_IP --dport 22 -j ACCEPT

# Allow ICMP requests?
iptables -A INPUT -i $EXT_IFACE -p icmp -j ACCEPT

# Drop and log everything else:
iptables -A INPUT -j DROP_LOG

###############################
# Build the DROP_LOG rules:

iptables -A DROP_LOG -j LOG --log-prefix "FW_Logged: "
iptables -A DROP_LOG -j REJECT --reject-with icmp-net-unreachable

###############################
# Build the FORWARD rules:

iptables -A FORWARD -o $EXT_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXT_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

# Moving on to the NAT table:
###############################
# POSTROUTING:

iptables -A POSTROUTING -t nat -o $EXT_IFACE -s 172.0.10.0/24 -d 0/0 -j MASQUERADE

---