Hi guys, i'm working on a firewall with a transparent proxy (tinyproxy) and a content filter (dansuardian).

That's my network scheme:
Subnet 192.168.10.0/24 <---> 192.168.1.1 [Firewall] 192.168.1.2 <--(point2point)--> 192.168.1.1 CISCO Router (locked by ISP)

Now i have to write down some iptables roules to make everything work. Unfortunatly i have to be shure that my code is errorfree as i'm on a server of a public association and i cannot stop any service for more then a bunch of seconds.

So here's the code:
Code:
#This is the content of a sh executable loaded on boot 
 
IF_LAN="eth0" 
IF_EXT="eth1" 
PROXY_PORT="8080" 
 
iptables -F  
iptables -X  
iptables -P INPUT DROP 
iptables -P OUTPUT DROP 
iptables -P FORWARD DROP  
 
# Allow lan traffic to be accepted 
iptables -A INPUT -s 192.168.10.0/24 -i $IF_LAN -j ACCEPT  
 
# Allow 80, 443, 53 destinated traffic to be forwarded 
iptables -A FORWARD -s 192.168.10.0/24 -i $IF_LAN -o $IF_EXT  \
-j ACCEPT -p tcp -m multiport --dports 80,443 --sport 1024:65535                 
iptables -A FORWARD -p udp -i $IF_LAN -o $IF_EXT --dport 53 --sport 1024:65535 -j ACCEPT 
iptables -A FORWARD -p udp -i $IF_EXT -o $IF_LAN --sport 53 --dport 1024:65535 -j ACCEPT 
 
# Allow response from firewall to go back 
iptables -A INPUT -i $IF_LAN -m state -state ESTABLISHED,RELATED -j ACCEPT 
 
# I wander if MASQ is needed and i don't know why this line is here 
iptables -t nat -A POSTROUTING -o $IF_LAN -j MASQUERADE 
 
# Allow answers to the lan 
iptables -A OUTPUT -d 192.168.10.0/24 -o $IF_LAN -m state -state ESTABLISHED,RELATED -j ACCEPT 
 
# Allow  connection to the world from the firewall itself 
iptables -A OUTPUT -o $IF_EXT -j ACCEPT 
 
# Open SSH port for administration 
iptables -A INPUT -i $IF_LAN -p tcp -dport 22 -j ACCEPT 
iptables -A INPUT -i $IF_EXT -p tcp -dport 22 -j ACCEPT 
 
# Allow tinyproxy to communicate with www as it runs as  nobody 
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT 
 
# Redirecting everything outgoing to 80, to the content filter / transparent proxy 
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports $PROXY_PORT
I have some questions on what I found around the web (i'm too noob on iptables):
What means masquerading this way? (does output on LAN needs masq???)
Using a proxy in this transparent way for 80 traffic, will avoid using masquerading for all kind of traffic or i need to masquerade the subnet in postruting?

So anybody who wants to help, please correct this piece of bad code.
Thankyou all!