Here's a sample script: (variations of this are possible, please keep it in mind) /sbin/iptables -F /sbin/iptables -t nat -F /sbin/iptables -t mangle -F # default policy for drop /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT DROP /sbin/iptables -P FORWARD DROP # enable related,established connections /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # (b) # - Allow SMTP traffic to 192.168.0.100 /sbin/iptables -t nat -A PREROUTING -p tcp --dport 25 -i eth0 -j DNAT --to 192.168.0.100:25 /sbin/iptables -A FORWARD -p tcp -d 192.168.0.100 --dport 25 -j ACCEPT # Port 80 HTTP: # - Allow HTTP traffic to 192.168.0.100 /sbin/iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 192.168.0.100:80 /sbin/iptables -A FORWARD -p tcp -d 192.168.0.100 --dport 80 -j ACCEPT # Port 443 HTTPS: # - Allow HTTPS traffic to 192.168.0.100 /sbin/iptables -t nat -A PREROUTING -p tcp --dport 443 -i eth0 -j DNAT --to 192.168.0.100:443 /sbin/iptables -A FORWARD -p tcp -d 192.168.0.100 --dport 443 -j ACCEPT # (c) Allow Ubuntu to connect to external mail servers on port 555 # (no need to specify destination IP, but it's fine if set it to RH IP) /sbin/iptables -A FORWARD -p tcp --dport 555 -s 192.168.0.100 -j ACCEPT # (d) Allow 192.168.0.80 to ssh and ftp into the firewall. No other access into the firewall is permitted. /sbin/iptables -A INPUT -p tcp --dport 22 -s 192.168.0.80 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 21 -s 192.168.0.80 -j ACCEPT # (e) Allow 10.10.10.130,131 (outside the local network) to ftp and ssh into the web/mail # server by using ports 3344 and 3345 respectively on the external side of the firewall. /sbin/iptables -t nat -A PREROUTING -p tcp -s 10.10.10.130 --dport 3345 -i eth0 -j DNAT --to 192.168.0.100:22 /sbin/iptables -t nat -A PREROUTING -p tcp -s 10.10.10.131 --dport 3345 -i eth0 -j DNAT --to 192.168.0.100:22 /sbin/iptables -A FORWARD -p tcp -d 192.168.0.100 --dport 22 -j ACCEPT /sbin/iptables -t nat -A PREROUTING -p tcp -s 10.10.10.130 --dport 3344 -i eth0 -j DNAT --to 192.168.0.100:21 /sbin/iptables -t nat -A PREROUTING -p tcp -s 10.10.10.131 --dport 3344 -i eth0 -j DNAT --to 192.168.0.100:21 /sbin/iptables -A FORWARD -p tcp -d 192.168.0.100 --dport 21 -j ACCEPT # (f) The CEO has a windows box inside the private network (192.168.0.70). # The CEO (with fixed IP 10.10.10.132) would like to have remote desktop access to his desktop on port 7784. /sbin/iptables -t nat -A PREROUTING -s 10.10.10.132 -p tcp --dport 7784 -i eth0 -j DNAT --to 192.168.0.23:7784 /sbin/iptables -A FORWARD -p tcp -d 192.168.0.70 --dport 7784 -j ACCEPT # OR /sbin/iptables -t nat -A PREROUTING -s 10.10.10.132 -p tcp --dport 7784 -i eth0 -j DNAT --to 192.168.0.23:3389 /sbin/iptables -A FORWARD -p tcp -d 192.168.0.70 --dport 3389 -j ACCEPT # (h) Finally, imagine that the only routable IP is 10.10.10.10. # All internal machines should share this IP for Internet traffic. # - We only allow (http,https) to be the Internet traffic /sbin/iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 10.10.10.10 # - Allow http /sbin/iptables -A FORWARD -s 192.168.0.0/255.255.255.0 -p tcp --dport 80 -j ACCEPT # - Allow https /sbin/iptables -A FORWARD -s 192.168.0.0/255.255.255.0 -p tcp --dport 443 -j ACCEPT