Firewall with 2 Dial in Modems + Port forwarding

["cKBoy" <ckboy@xxxxxxxxxxxxxxxx>]

this is my sample script

 

FWVER=0.63

 

echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"

 

IPTABLES=/sbin/iptables

 

EXTIF="eth1"
INTIF1="eth0"
INTIF2="ppp0"
INTIF3="ppp1"

 

echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF1"
echo "   Internal Interface:  $INTIF2"
echo "   Internal Interface:  $INTIF3"

echo -en "   loading modules: "

 

echo "  - Verifying that all kernel modules are ok"
/sbin/depmod -a

echo -en "ip_tables, "
/sbin/insmod ip_tables
echo -en "ip_conntrack, "
/sbin/insmod ip_conntrack
echo -en "ip_conntrack_ftp, "
/sbin/insmod ip_conntrack_ftp
echo -en "ip_conntrack_irc, "
/sbin/insmod ip_conntrack_irc
echo -en "iptable_nat, "
/sbin/insmod iptable_nat
echo -en "ip_nat_ftp, "
/sbin/insmod ip_nat_ftp

echo ".  Done loading modules."

 

echo "   enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "   enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "   clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

 

echo "   FWD: Allow all connections OUT and only existing and related ones IN"

 

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF3 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF3 -o $EXTIF -j ACCEPT

 

$IPTABLES -A FORWARD -j LOG

 

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

 

echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
[root@delllinux rc.d]# !ip
iptables -L FORWARD
Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere           LOG level warning

[root@delllinux rc.d]# iptables -t nat -A PREROUTING --dst 192.168.2.90 -p tcp --dport 4899 -j DNAT --to-destination 192.168.1.2

 

 

My problem is for the iptables command above to work I have to issue the command "iptables -P FORWARD ACCEPT"  Can anyone tell me how to allow just certain forwarding so I can set the default to DENY? And is this firewall script secure enough?