----------
+++++
Contributed by Jem Berkes <berkes@altavista.net>
+++++

I'm somewhat new to iptables as well, but I think I have the hang of it.
Note that this is a firewall script used on a multipurpose machine: it
has some servers, and is also a masquerading gateway. But with the current
setup everything seems to be working perfectly (including ftp
connections). INTIF and EXTIF refer to internal and external interfaces.
TCP_SERVICES are the servers that I'm running.

#!/bin/sh

INTIF=eth0
EXTIF=ppp0
TCP_SERVICES="21,22,25,80,113"

modprobe ip_nat_ftp
modprobe ip_conntrack_ftp

iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING

# Kernel guard against SYN flooding
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state NEW -p tcp -m multiport \
	--dport $TCP_SERVICES -j ACCEPT
iptables -A INPUT -i $INTIF -m state --state NEW -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "FW_INPUT  "

iptables -P FORWARD DROP
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j LOG --log-prefix "FW_FORWARD  "

iptables -P OUTPUT ACCEPT

iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE