this is my sample script
 
FWVER=0.63
 
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
 

IPTABLES=/sbin/iptables
 

EXTIF="eth1"
INTIF1="eth0"
INTIF2="ppp0"
INTIF3="ppp1"
 
echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF1"
echo "   Internal Interface:  $INTIF2"
echo "   Internal Interface:  $INTIF3"
echo -en "   loading modules: "
 
echo "  - Verifying that all kernel modules are ok"
/sbin/depmod -a
echo -en "ip_tables, "
/sbin/insmod ip_tables
echo -en "ip_conntrack, "
/sbin/insmod ip_conntrack
echo -en "ip_conntrack_ftp, "
/sbin/insmod ip_conntrack_ftp
echo -en "ip_conntrack_irc, "
/sbin/insmod ip_conntrack_irc
echo -en "iptable_nat, "
/sbin/insmod iptable_nat
echo -en "ip_nat_ftp, "
/sbin/insmod ip_nat_ftp
echo ".  Done loading modules."
 
echo "   enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "   enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "   clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
 
echo "   FWD: Allow all connections OUT and only existing and related ones IN"
 
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF3 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF3 -o $EXTIF -j ACCEPT
 
$IPTABLES -A FORWARD -j LOG
 

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
 
echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
[root@delllinux rc.d]# !ip
iptables -L FORWARD
Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere           state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere           LOG level warning

[root@delllinux rc.d]# iptables -t nat -A PREROUTING --dst 192.168.2.90 -p tcp --dport 4899 -j DNAT --to-destination 192.168.1.2
 
 
My problem is for the iptables command above to work I have to issue the command "iptables -P FORWARD ACCEPT"  Can anyone tell me how to allow just certain forwarding so I can set the default to DENY? And is this firewall script secure enough?