I am guessing that ppp0 is the ISP.
Rather than having a -j REJECT for FORWARD, it is probably better to set the default policy to reject, then allow connections that have already been allowed, then allow specific connections that you are happy with. DROP is probably better than REJECT, because REJECT can be used (by spoofing the source) to generate DDOS traffic to other hosts. Something like this (un-tested):
Code:
# Masquerade forwarded connections
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Drop all forward connections by default
$IPTABLES -P FORWARD DROP
# Allow connections that have already been allowed to continue to work
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow specific approved connections
IPTABLES -A FORWARD -i eth0 -o ppp0 -s 123.123.123.45 -j ACCEPT
Bookmarks