as i read through i noticed you miss one realy important thing. the chain traversal of incoming and outgoing packets. http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-6.html that will teach you where you should add your rules. don't use MASQUERADE but SNAT if your ip is static. try to start your forward chain with following rules: iptables -t filter -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -t filter -A FORWARD -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT ### next rule drops icmp source quench which is not too god idea ### comsider adding rule like ### iptables -t filter -A FORWARD -p icmp --icmp-type source-quench -j ACCEPT ### before next rule and also consider not to do it iptables -t filter -A FORWARD -m state --state INVALID -j LOGDROP and try to start your input chain with (same for output in case of drop policy): iptables -t filter -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT (don't forget to enable ip packets forwarding after you have set up your firewall. add line like: net/ipv4/ip_forward = 1 into /etc/sysctl.conf and run "sysctl -p" )
