FORWARD rules

FORWARD rules

[Payal Rathod]

Hi,
I had kept the default policy of FORWARD as drop.
Now, I wanted to see an internal machine from internet. So, I used
DNAT as,

iptables -A PREROUTING -t nat -d <ext ip> -j DNAT --to <int ip>
It didn't work. When I set the default FORWARD policy to ACCEPT it
worked.

What is a better approach? I want to have a default DROP in FORWARD
chain. My FORWARD chain looked like this,


$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p udp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 110 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

What more do I add to allow natting as well as a secure FORWARD policy?
Is the position of ESTABLISHED rule ok?

Thanks a lot for the help in advance and waiting eagerly for the mails.
With warm regards,
-Payal





-- 
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.

Re: FORWARD rules

[Ramin Dousti]

On Wed, Sep 10, 2003 at 11:22:53PM +0530, Payal Rathod wrote:

> Hi,
> I had kept the default policy of FORWARD as drop.
> Now, I wanted to see an internal machine from internet. So, I used
> DNAT as,
> 
> iptables -A PREROUTING -t nat -d <ext ip> -j DNAT --to <int ip>
> It didn't work. When I set the default FORWARD policy to ACCEPT it
> worked.
> 
> What is a better approach? I want to have a default DROP in FORWARD
> chain. My FORWARD chain looked like this,

Keep the default "DROP" policy and just open whatever is needed
including the DNAT'ed packets coming in.

The place of the ESTABLISHED,RELATED rule should be at the top of
your rule set.

Ramin

RE: FORWARD rules

[Vladimir Potapov]

$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p udp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 110 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

What more do I add to allow natting as well as a secure FORWARD policy?
Is the position of ESTABLISHED rule ok?

You need to add a chains for NEW packets with tcp-flags syn.You need replace
from console :
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p udp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 110 -j ACCEPT

to
-A FORWARD -d 125.125.125.0/32 -m state --state NEW -p tcp -m tcp --dport
53 --syn -j ACCEPT
-A FORWARD -d 125.125.125.0/32 -m state --state NEW -p udp -m udp --dport
53 -j ACCEPT
-A FORWARD -d 125.125.125.0/32 -m state --state NEW -p tcp -m tcp --dport
80 --syn -j ACCEPT
-A FORWARD -d 125.125.125.0/32 -m state --state NEW -p tcp -m tcp --dport
110 --syn -j ACCEPT





--
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.

Re: FORWARD rules

[netfilter]

On Wed, Sep 10, 2003 at 02:44:30PM -0400, Ramin Dousti wrote:
> On Wed, Sep 10, 2003 at 11:22:53PM +0530, Payal Rathod wrote:
> 
> Keep the default "DROP" policy and just open whatever is needed
> including the DNAT'ed packets coming in.

Please explain in a bit more detail relating to my data. Will keeping
the ESTABLISHED,RELATED rule at top and putting default DROP policy set
it right?

Thanks a lot and waiting for the reply.
With warm regards,
-Payal

> The place of the ESTABLISHED,RELATED rule should be at the top of
> your rule set.
> 
> Ramin
> 

-- 
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.

Re: FORWARD rules

[Vishwanatn T. K.]

On Wed, 2003-09-10 at 17:52, Payal Rathod wrote:
> Hi,
> I had kept the default policy of FORWARD as drop.
> Now, I wanted to see an internal machine from internet. So, I used
> DNAT as,
> 
> iptables -A PREROUTING -t nat -d <ext ip> -j DNAT --to <int ip>
> It didn't work. When I set the default FORWARD policy to ACCEPT it
> worked.
> 
> What is a better approach? I want to have a default DROP in FORWARD
> chain. My FORWARD chain looked like this,
> 
> 
> $IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -s 125.125.125.0/32 -p udp -m tcp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
> $IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 110 -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> What more do I add to allow natting as well as a secure FORWARD policy?
> Is the position of ESTABLISHED rule ok?
> 

You need to add NEW state in the above FORWARD rule for this to work.

$IPTABLES -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

> Thanks a lot for the help in advance and waiting eagerly for the mails.
> With warm regards,
> -Payal

Vishwanath

Re: FORWARD rules

[Payal Rathod]

On Thu, Sep 11, 2003 at 06:09:29AM +0000, Vishwanatn T. K. wrote:
> > $IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 110 -j ACCEPT
> > $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> > 
> > What more do I add to allow natting as well as a secure FORWARD policy?
> > Is the position of ESTABLISHED rule ok?
> > 
> 
> You need to add NEW state in the above FORWARD rule for this to work.
> 
> $IPTABLES -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Just confirming this from all. Please check whether this is ok.


$IPTABLES -I PREROUTING -t nat -p tcp -d 202.x.x.x -j DNAT --to 125.125.125.2

$IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p udp -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 110 -j ACCEPT

echo "1" > /proc/sys/net/ipv4/ip_forward

$IPTABLES -P FORWARD ACCEPT
		     ^^^^^^
$IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Can I now change the ACCEPT statement to DROP without any fear?
Thanks a lot in advance and bye.
With warm regards,
-Payal


-- 
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.

Re: FORWARD rules

[Cedric Blancher]

Le jeu 11/09/2003 à 08:09, Vishwanatn T. K. a écrit :
> You need to add NEW state in the above FORWARD rule for this to work.
> $IPTABLES -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

It will let is firewall wide open.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: FORWARD rules

[Cedric Blancher]

Le ven 12/09/2003 à 12:09, Payal Rathod a écrit :
> Just confirming this from all. Please check whether this is ok.
[...]
> $IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

With this rule, you will just accept anything, except INVALID packets
that are quite uncommon (very most of them are ICMP).

> $IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -s 125.125.125.0/32 -p udp -m tcp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 80 -j ACCEPT
> $IPTABLES -A FORWARD -s 125.125.125.0/32 -p tcp -m tcp --dport 110 -j ACCEPT

Thoses rules won't get reached, as first one accept all packets. You
should consider this instead :

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp \
	-m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p udp \
	-m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD  -m state --state NEW -s 125.125.125.0/32 -p tcp \
	-m tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD  -m state --state NEW -s 125.125.125.0/32 -p tcp \
	-m tcp --dport 110 -j ACCEPT

Keeping ESTABLISHED,RELATED rule at top of ruleset is an optimization,
as most packet you will receive will have ESTABLISHED state. It's better
to treat them early so they don't go through the whole chain.

> echo "1" > /proc/sys/net/ipv4/ip_forward
> 
> $IPTABLES -P FORWARD ACCEPT
> 		     ^^^^^^
> $IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Same than below. It's about the same than an policy set to ACCEPT...

> Can I now change the ACCEPT statement to DROP without any fear?

Sure.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: FORWARD rules

[Arnt Karlsen]

On Fri, 12 Sep 2003 12:45:34 +0200, 
Cedric Blancher <blancher@cartel-securite.fr> wrote in message 
<1063363533.879.52.camel@elendil.intranet.cartel-securite.net>:

> > $IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED \

..lose "NEW".

> > -j ACCEPT
> 
> Same than below. It's about the same than an policy set to ACCEPT...
> 
> > Can I now change the ACCEPT statement to DROP without any fear?
> 
> Sure.
> 


-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: FORWARD rules

[Cedric Blancher]

Le ven 12/09/2003 à 16:36, Arnt Karlsen a écrit :
> On Fri, 12 Sep 2003 12:45:34 +0200, 
> Cedric Blancher <blancher@cartel-securite.fr> wrote in message 
> > > $IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED \
> ..lose "NEW".

Just what I said, wasn't it ?

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: FORWARD rules

[Arnt Karlsen]

On Fri, 12 Sep 2003 16:51:41 +0200, 
Cedric Blancher <blancher@cartel-securite.fr> wrote in message 
<1063378301.888.66.camel@elendil.intranet.cartel-securite.net>:

> Le ven 12/09/2003 à 16:36, Arnt Karlsen a écrit :
> > On Fri, 12 Sep 2003 12:45:34 +0200, 
> > Cedric Blancher <blancher@cartel-securite.fr> wrote in message 
> > > > $IPTABLES -A INPUT -m state --state NEW,ESTABLISHED,RELATED \
> > ..lose "NEW".
> 
> Just what I said, wasn't it ?

..nah, but you probably _meant_ it.  ;-)

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: FORWARD rules

[Payal Rathod]

On Fri, Sep 12, 2003 at 08:14:25PM +0200, Arnt Karlsen wrote:
> On Fri, 12 Sep 2003 16:51:41 +0200, 
> > > ..lose "NEW".
> > 
> > Just what I said, wasn't it ?
> 
> ..nah, but you probably _meant_ it.  ;-)

I think he said it :). Look below.


| $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
| $IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp \
|        -m tcp --dport 53 -j ACCEPT

-Payal

-- 
"Visit GNU/Linux Success Stories"
http://payal.staticky.com
Guest-Book Section Updated.

Re: FORWARD rules

[Arnt Karlsen]

On Sat, 13 Sep 2003 07:56:58 +0530, 
Payal Rathod <payal-iptables@staticky.com> wrote in message 
<20030913022658.GD1667@linux.local>:

> On Fri, Sep 12, 2003 at 08:14:25PM +0200, Arnt Karlsen wrote:
> > On Fri, 12 Sep 2003 16:51:41 +0200, 
> > > > ..lose "NEW".
> > > 
> > > Just what I said, wasn't it ?
> > 
> > ..nah, but you probably _meant_ it.  ;-)
> 
> I think he said it :). Look below.
> 
> 
> | $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> | $IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp
> | \       -m tcp --dport 53 -j ACCEPT
> 
> -Payal

..wrong snippet.  ;-)  Reread the thread, and you'll see both I 
and Cedric weren't to clear on that we meant to say, we _implied_ 
things instead of actually _saying_ them, I snipped to hard and 
lost Cedric, and added to the confusion.  I'm talking about the 
"NEW" under this bit:
" > $IPTABLES -P FORWARD ACCEPT
  > 		     ^^^^^^ ".

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: FORWARD rules

[Cedric Blancher]

Le sam 13/09/2003 à 08:42, Arnt Karlsen a écrit :
> ..wrong snippet.  ;-)  Reread the thread, and you'll see both I 
> and Cedric weren't to clear on that we meant to say, we _implied_ 
> things instead of actually _saying_ them

So, for the things to get clear, the whole script should be[1] :


$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp \
        -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p udp \
        -m tcp --dport 53 -j ACCEPT
$IPTABLES -A FORWARD  -m state --state NEW -s 125.125.125.0/32 -p tcp \
        -m tcp --dport 80 -j ACCEPT
$IPTABLES -A FORWARD  -m state --state NEW -s 125.125.125.0/32 -p tcp \
        -m tcp --dport 110 -j ACCEPT

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "1" > /proc/sys/net/ipv4/ip_forward


A -m state --state NEW,ESTABLISHED,RELATED _should not_ be used, as it's
an quasi-generic full match (i.e. nearly matches all packets).


[1] Note I did a typo in my
<1063363533.879.52.camel@elendil.intranet.cartel-securite.net> post,
it's FORWARD, not INPUT...

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: FORWARD rules

[Arnt Karlsen]

On Mon, 15 Sep 2003 09:56:22 +0200, 
Cedric Blancher <blancher@cartel-securite.fr> wrote in message 
<1063612582.928.17.camel@elendil.intranet.cartel-securite.net>:

> Le sam 13/09/2003 à 08:42, Arnt Karlsen a écrit :
> > ..wrong snippet.  ;-)  Reread the thread, and you'll see both I 
> > and Cedric weren't to clear on that we meant to say, we _implied_ 
> > things instead of actually _saying_ them
> 
> So, for the things to get clear, the whole script should be[1] :
> 
> 
> $IPTABLES -P FORWARD DROP
> $IPTABLES -P INPUT DROP
> 
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p tcp \
>         -m tcp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD -m state --state NEW -s 125.125.125.0/32 -p udp \
>         -m tcp --dport 53 -j ACCEPT
> $IPTABLES -A FORWARD  -m state --state NEW -s 125.125.125.0/32 -p tcp
> \        -m tcp --dport 80 -j ACCEPT
> $IPTABLES -A FORWARD  -m state --state NEW -s 125.125.125.0/32 -p tcp
> \        -m tcp --dport 110 -j ACCEPT
> 
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> echo "1" > /proc/sys/net/ipv4/ip_forward
> 
> 
> A -m state --state NEW,ESTABLISHED,RELATED _should not_ be used, as
> it's an quasi-generic full match (i.e. nearly matches all packets).
> 
> 
> [1] Note I did a typo in my
> <1063363533.879.52.camel@elendil.intranet.cartel-securite.net> post,
> it's FORWARD, not INPUT...

..me too, ;-)  I ofcourse meant we "weren't too clear on what 
we meant to say"...  ;-)

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Re: FORWARD rules

[Cedric Blancher]

Le lun 15/09/2003 à 18:32, Arnt Karlsen a écrit :
> ..me too, ;-)  I ofcourse meant we "weren't too clear on what 
> we meant to say"...  ;-)

We are now, that's the important point :)

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Re: FORWARD rules

[Payal Rathod]

On Mon, Sep 15, 2003 at 07:34:22PM +0200, Cedric Blancher wrote:
> Le lun 15/09/2003 à 18:32, Arnt Karlsen a écrit :
> > ..me too, ;-)  I ofcourse meant we "weren't too clear on what 
> > we meant to say"...  ;-)
> 
> We are now, that's the important point :)

I am still confused. What you really meant and what you really said. Are
you losing your  brains or am I :)
-Payal

> -- 
> http://www.netexit.com/~sid/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> 

-- 
For GNU/Linux Success Stories and Articles visit:
          http://payal.staticky.com

Re: FORWARD rules

[Payal Rathod]

On Mon, Sep 15, 2003 at 07:34:22PM +0200, Cedric Blancher wrote:
> Le lun 15/09/2003 à 18:32, Arnt Karlsen a écrit :
> > ..me too, ;-)  I ofcourse meant we "weren't too clear on what 
> > we meant to say"...  ;-)
> 
> We are now, that's the important point :)

I am still confused. What you really meant and what you really said. Are
you losing your  brains or am I :)
-Payal

> -- 
> http://www.netexit.com/~sid/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> 

-- 
For GNU/Linux Success Stories and Articles visit:
          http://payal.staticky.com


\x01\x02Boundary_(ID_4A0cY3G8hOPMC+Afj5AwCA)

Re: FORWARD rules

[Arnt Karlsen]

On Tue, 16 Sep 2003 04:28:23 +0000, 
Payal Rathod <payal-iptables@staticky.com> wrote in message 
<20030916042823.GC10468@staticky.com>:

> On Mon, Sep 15, 2003 at 07:34:22PM +0200, Cedric Blancher wrote:
> > Le lun 15/09/2003 à 18:32, Arnt Karlsen a écrit :
> > > ..me too, ;-)  I ofcourse meant we "weren't too clear on what 
> > > we meant to say"...  ;-)
> > 
> > We are now, that's the important point :)
> 
> I am still confused. What you really meant and what you really said.
> Are you losing your  brains or am I :)
> -Payal

..   ;-)   You wanna reread what Cedric wrote in his message 
<1063612582.928.17.camel@elendil.intranet.cartel-securite.net>.

-- 
..med vennlig hilsen = with Kind Regards from Arnt... ;-)
...with a number of polar bear hunters in his ancestry...
  Scenarios always come in sets of three: 
  best case, worst case, and just in case.

Forward rules

[Alejandro Cabrera Obed]

Hello !!!

I'm building my FORWARD table rules, and I want to implement this: "Drop all
FORWARD packets by default and then accept only packets coming from LAN
(192.168.0.0/24) with the related and established condition and leaving my
external interface ($INET_IFACE)".

Is the next ruleset according to what I want or can I change the order ???

$IPTABLES -P FORWARD DROP
$IPTABLES -A FORWARD -s 192.168.0.0/24 -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

I suppose with this implementation I'm discarding packet forwarding coming
from 127.0.0.0/24, 10.0.0.0/8 and 172.16.0.0/12 (because my default policy
is DROP by default)....is it OK ???

Thousands of thanks :)

Alejandro

Re: Forward rules

[Jeffrey Laramie]

On Friday 28 November 2003 14:18, Alejandro Cabrera Obed wrote:
> Hello !!!
>

Hi Alejandro

> I'm building my FORWARD table rules, and I want to implement this: "Drop
> all FORWARD packets by default and then accept only packets coming from LAN
> (192.168.0.0/24) with the related and established condition and leaving my
> external interface ($INET_IFACE)".
>
> Is the next ruleset according to what I want or can I change the order ???
>
> $IPTABLES -P FORWARD DROP
> $IPTABLES -A FORWARD -s 192.168.0.0/24 -o $INET_IFACE -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> I suppose with this implementation I'm discarding packet forwarding coming
> from 127.0.0.0/24, 10.0.0.0/8 and 172.16.0.0/12 (because my default policy
> is DROP by default)....is it OK ???
>

Your rules will work fine. A couple of hints:

1. Even though the -P FORWARD DROP comes first in the ruleset, it is the 
default policy and it will always be the last rule checked.

2. Most of your traffic will be accepted by your ESTABLISHED,RELATED rule so 
for maximum efficiency it should always be as close to the top of your chain 
as possible (but after the default policy).

3. It is *slightly* better to use -i $LAN_IFACE instead of -o $INET_IFACE. It 
doesn't matter when there are only 2 interfaces, but if you were to add 
another interface in the future -i $LAN_IFACE will offer the same spoofing 
protection to the new interface.

Jeff