Currently the NAT host and respective clients are able to access any service. I like the NAT host (the device running IPTABLES) to only be able to access HTTP(S), DNS and send/respond to ICMP requests.
I would like the internal clients behind $INTIF to only access HTTP(S) and DNS. I tried multiport but I had little luck. I'm open to other suggestions.
*nat
-A POSTROUTING -o "$EXTIF" -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -p tcp -i eth1 --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
-A INPUT -i "$INTIF" -p udp --dport 53 -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "input denied: " --log-level 7
-A FORWARD -i "$EXTIF" -o "$INTIF" -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i "$INTIF" -o "$EXTIF" -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -i "$INTIF" -o "$EXTIF" -m multiport -p tcp --dports 80,443 -j ACCEPT
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "forward denied: " --log-level 7
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "output denied: " --log-level 7
COMMIT
Remove "NEW" from the second FORWARD rule (this is what is accepting all outgoing connections).
The third and fourth forward rules should be something like
As an aside, your default INPUT policy is accept, so after logging "input denied" the packet is accepted anyway.