This is my iptables config stored under /etc/sysconfig/iptables :
(eth0 = WAN if, eth1 = LAN if)
You’ll notice 192.168.1.16 is allowed to connect to any services
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Basic protections against syn floods and other stuff
-A FORWARD -p tcp –syn -m limit –limit 1/s -j ACCEPT
-A FORWARD -p tcp –tcp-flags SYN,ACK,FIN,RST RST -m limit –limit 1/s -j ACCEPT
-A FORWARD -p icmp –icmp-type echo-request -m limit –limit 1/s -j ACCEPT
# Block MSN
-I FORWARD -s 192.168.1.0/24 -p tcp -m tcp –dport 1863 -j DROP
-I FORWARD -s 192.168.1.0/24 -p tcp -m tcp –dport 1863 -j LOG –log-prefix “MESSENGER MSN > ”
-I FORWARD -s 192.168.1.16 -p tcp -m tcp –dport 1863 -j ACCEPT
# Block AIM/ICQ
-I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j DROP
-I FORWARD -s 192.168.1.0/24 -d 64.12.25.0/22 -j LOG –log-prefix “MESSENGER ICQ/AIM > ”
-I FORWARD -s 192.168.1.16 -d 64.12.25.0/22 -j ACCEPT
# Block Yahoo IM
-I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j DROP
-I FORWARD -s 192.168.1.0/24 -d 216.155.193.0/22 -j LOG –log-prefix “MESSENGER YIM > ”
-I FORWARD -s 192.168.1.16 -d 216.155.193.0/22 -j ACCEPT
# Allowing anything else
-A FORWARD -i eth1 -o eth0 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -m state –state ESTABLISHED,RELATED -j ACCEPT
Read more at Sébastien Wains homepage
