Write scripts!
Scripts will be written in as many ways as there are people writing them. Just be sure to test them to make sure they are effective. This is the world of openness. It is OK to copy someone elses and edit it for your own purposes and to your own tastes.
For each packet traversing a chain, once an ACCEPT, REJECT or a DROP target is reached, processing for that packet is over. If you want to get a little more fancy, create a user defined chain and use the RETURN target that will take you to directly after where the user defined chain was called from. The way I choose to handle the limit parameter is an example of using a user defined chain and the RETURN target.
Have a script available to flush all of your tables.
Have a script available to list all of your tables.
Follow the recommendations in this how-to page. Especially the keep it simple part. Block everything and then allow the desired traffic as neccesary.
Use connection tracking as much as possible to allow the connections you want. Create a user defined chain that allows everything established or related and also allows everything new from the internal interface. Append the user defined chain to all of the chains in the filter table. User defined chains are allowed to be a targets as long as all the rules contained are valid in the built in chain they are added to. If you want to provide certain services on the gateway machine, allow new connections.
Do you desire to do any address translation to allow access from the internal network. Add appropriate network address translaion rule to the nat table. My connection being a dialup that recieves it's ip address through DHCP, therefore I choose to use Masquerade as apposed to SNAT. If you want to provide services from internal hosts as if they were ports on the gateway host, connections to those ports be translated to other hosts on the internal network.
If you want to provide services from internal hosts as if they were ports on the gateway host, connections to those ports be translated to other hosts on the internal network.
It is also possible to use the limit match to protect yourself from some "Denial of Service" attacks. I chose to create a user defined chain to perform the limiting and logging for theses attacks.
Here is the script I use to connect to my isp. I hope it is helpful to you. The flush script is at the end of my ppp-down script and the main script is called at the end of my ppp-up script. This is probably a good example of not keeping things simple. It may however have some components that are useful to you.
My most recent script is actually a modified version of John Davidson's demilitarized zone script. I have modified his script to make it more my style. I added protection from input and output private IP's. I added many user defined chains to prevent packets from being tested against multiple rules that don't apply to them. Anyways, the script is very redhatish and is actually four files because it became a little bloated. (Isn't this what Rusty recommended not to do? OK, I got carried away, but I do make it so that user defined chains do not get created unless needed!)
The four files in tar.tgz
The configuration fileIt has lots of options. note: Included from the file to run.
The file to run.
The filter for a complex set of filter rules. note: Included from the file to run.
The filter for a simpler set of filter rules. note: Included from the file to run.
Here is a listing after complex rules are applied with lots ports configured.
Here is a listing after complex rules are applied with a few ports configured.