Exemple de script (fait par ridben de [HFR], merci à lui) :
# !/bin/sh
# Chargement des modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc ports=6661,6662,6663,6664,6665,6666,6667,6668
modprobe ip_nat_irc ports=6661,6662,6663,6664,6665,6666,6667,6668
modprobe ipt_multiport
LAN="eth0"
NET="ppp+"
IPXP="192.168.1.33"
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
# Vidage des chaines
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
# Par défaut on drop tout
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
############################################
# CHAINES SPECIALES
############################################
# Configuration de Icmp - On autorise les pings
iptables -N ALLOW_ICMP
iptables -F ALLOW_ICMP
iptables -A ALLOW_ICMP -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A ALLOW_ICMP -p icmp --icmp-type echo-request -j ACCEPT
iptables -A ALLOW_ICMP -p icmp --icmp-type time-exceeded -j ACCEPT
# Paquets à jeter et logguer
iptables -N LOG_DROP
iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
iptables -A LOG_DROP -j DROP
############################################
# RESEAU LOCAL
############################################
# On accepte le réseau local:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
############################################
# FIREWALL-LAN
############################################
# On permet toutes les liaisons firewall-LAN
iptables -A INPUT -i $LAN -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $LAN -m state --state NEW,ESTABLISHED -j ACCEPT
# on permet toutes les liaisons LAN-firewall
iptables -A INPUT -i $LAN -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $LAN -m state --state ESTABLISHED -j ACCEPT
# On accepte de pinguer et d'etre pingué
iptables -A INPUT -p icmp -j ALLOW_ICMP
iptables -A OUTPUT -p icmp -j ALLOW_ICMP
############################################
# FIREWALL
############################################
# Resolution DNS pour le firewall
iptables -A INPUT -i $NET -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -o $NET -p udp --dport 53 -j ACCEPT
iptables -A INPUT -i $NET -p tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -o $NET -p tcp --dport 53 -j ACCEPT
# connexions Firewall-Internet (http/https)
iptables -A OUTPUT -p tcp --dport 80 -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -i $NET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 443 -i $NET -m state --state ESTABLISHED,RELATED -j ACCEPT
# connexions Firewall-Internet (ftp)
iptables -A INPUT -i $NET -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NET -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NET -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $NET -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NET -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $NET -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# connexions Firewall-Internet (pop)
iptables -A OUTPUT -p tcp --dport 110 -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 110 -i $NET -m state --state ESTABLISHED,RELATED -j ACCEPT
# connexions Firewall-Internet (imaps)
iptables -A OUTPUT -p tcp --dport 993 -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 993 -i $NET -m state --state ESTABLISHED,RELATED -j ACCEPT
# connexions Firewall-Internet (smtp)
iptables -A OUTPUT -p tcp --dport 25 -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 25 -i $NET -m state --state ESTABLISHED,RELATED -j ACCEPT
# connexions Firewall-Internet (nntp)
iptables -A OUTPUT -p tcp --dport 119 -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --sport 119 -i $NET -m state --state ESTABLISHED,RELATED -j ACCEPT
############################################
# LAN-INTERNET
############################################
iptables -t nat -A POSTROUTING -o $NET -j MASQUERADE
# Resolution DNS pour les machines du LAN
iptables -A FORWARD -i $NET -o $LAN -p udp --sport 53 -j ACCEPT
iptables -A FORWARD -i $LAN -o $NET -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 53 -j ACCEPT
iptables -A FORWARD -i $LAN -o $NET -p tcp --dport 53 -j ACCEPT
# connexions LAN-Internet (http/https)
iptables -A FORWARD -p tcp --dport 80 -i $LAN -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --dport 443 -i $LAN -o $NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --sport 80 -i $NET -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p tcp --sport 443 -i $NET -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
# acces au serveur Icq depuis LAN
iptables -A FORWARD -i $LAN -o $NET -p tcp --dport 5190 -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 5190 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 5190 -i $NET -j DNAT --to $IPXP:5190
iptables -t nat -A PREROUTING -p tcp --dport 5190 -i $NET -j DNAT --to $IPXP:5190
# connexions Lan-Internet (pop)
iptables -A FORWARD -p tcp --dport 110 -i $LAN -o $NET -j ACCEPT
iptables -A FORWARD -p tcp --sport 110 -i $NET -o $LAN -j ACCEPT
# connexions Lan-Internet (imaps)
iptables -A FORWARD -p tcp --dport 993 -i $LAN -o $NET -j ACCEPT
iptables -A FORWARD -p tcp --sport 993 -i $NET -o $LAN -j ACCEPT
# connexions Lan-Internet (smtp)
iptables -A FORWARD -p tcp --dport 25 -i $LAN -o $NET -j ACCEPT
iptables -A FORWARD -p tcp --sport 25 -i $NET -o $LAN -j ACCEPT
# connexions Lan-Internet (nntp)
iptables -A FORWARD -p tcp --dport 119 -i $LAN -o $NET -j ACCEPT
iptables -A FORWARD -p tcp --sport 119 -i $NET -o $LAN -j ACCEPT
# On accepte que emule passe :-) -- A fixer
iptables -t nat -A PREROUTING -i $NET -p tcp --dport 8000 -j DNAT --to $IPXP:8000
iptables -t nat -A PREROUTING -i $NET -p udp --dport 8090 -j DNAT --to $IPXP:8090
iptables -A FORWARD -i $LAN -o $NET -p tcp --dport 4661 -j ACCEPT
iptables -A FORWARD -i $LAN -o $NET -p tcp --dport 4242 -j ACCEPT
iptables -A FORWARD -i $LAN -o $NET -p tcp --dport 4662 -j ACCEPT
iptables -A FORWARD -i $LAN -o $NET -p tcp --sport 8000 -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --dport 8000 -j ACCEPT
iptables -A FORWARD -i $LAN -o $NET -p tcp --sport 8090 -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --dport 8090 -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 4661 -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 4242 -j ACCEPT
# connexions Lan-Internet (ftp)
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -o $NET -i $LAN -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -o $NET -i $LAN -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -i $NET -o $LAN -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -o $NET -i $LAN -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# On accepte d'etre pingué et de pinguer
iptables -A FORWARD -p icmp -j ALLOW_ICMP
# On loggue les paquets qui ne passent pas
iptables -A FORWARD -j LOG_DROP
iptables -A INPUT -j LOG_DROP
iptables -A OUTPUT -j LOG_DROP
echo "Mise à jour des régles iptables de $NET <--> FIREWALL <--> $LAN";
Ca peut te donner un bon exemple d'approche.
++ Nrv