firewall advice

[Joe Cave]

hello,
i have a basic firewall working but would like some suggestions on how
to improve its security a bit. i have a pretty basic understanding of
netfilter but unfortunately don't have enough time right now to do a lot
of the needed research to take things to the next level.

below is my current script. the only thing i really want to keep is the
tcp/udp variables so that i have an easy way to add/remove ports. this
box is my firewall/gateway for my internal lan. i have a static internet
address on eth0 and eth1 is bound to 10.0.0.1

all comments/suggestions/input is appreciated! thx & peace!

- joe

===========================================================
#!/bin/sh

# flush everything
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X

# declare variables
TCP_SERVICES="22,25,80,443,24347,3000,4000"
UDP_SERVICES="27015"

# set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# set basic firewall rules for services on local machine
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp -m multiport
--destination-port $TCP_SERVICES -j ACCEPT
iptables -A INPUT -m state --state NEW -p udp -m multiport
--destination-port $UDP_SERVICES -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "ALERT"

# accept packets from internal lan
iptables -A INPUT -i eth1 -j ACCEPT

# set nat rules
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j SNAT
--to-source 64.166.81.250

# accept packets related to connections made by us
iptables -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0 -d 10.0.0.0/24 -m state
--state ESTABLISHED,RELATED -j ACCEPT

# accept packets from inside
iptables -A FORWARD -i eth1 -d 0.0.0.0/0 -j ACCEPT

# log unwanted attempts, not flooding the logfile
iptables -A FORWARD -m limit --limit-burst 1 -j LOG --log-level warning
--log-prefix "ALERT"

# eof